CVE-2026-39364 PoC — Vite has a `server.fs.deny` bypass with queries

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-39364.yaml

Associated Vulnerability

Title:Vite has a `server.fs.deny` bypass with queries (CVE-2026-39364)
Description:Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Description

Vite is a modern frontend build tool. In Vite prior to versions 6.4.3, 6.3.4, and 5.4.23, a directory traversal vulnerability affects the Vite development server. When the Vite dev server is launched with the --host or server.host option, an unauthenticated attacker can craft a request with a path containing dot segments (e.g., /.vite/../<filename>) to bypass static file restrictions and access arbitrary files on the filesystem under the project root. The vulnerability allows access to files normally denied by Vite’s "server.fs.deny" setting, including sensitive files like .env, configuration files, or credentials in the project root. This issue has been fixed in versions 6.4.3, 6.3.4, and 5.4.23.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →