{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41211", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T02:51:52.975Z", "datePublished": "2026-04-23T00:56:15.568Z", "dateUpdated": "2026-04-23T12:32:17.823Z"}, "containers": {"cna": {"title": "`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2"}], "affected": [{"vendor": "voidzero-dev", "product": "vite-plus", "versions": [{"version": "< 0.1.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:56:15.568Z"}, "descriptions": [{"lang": "en", "value": "Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch."}], "source": {"advisory": "GHSA-33r3-4whc-44c2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:32:13.986712Z", "id": "CVE-2026-41211", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:32:17.823Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41211", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T12:32:13.986712Z"}}}], "references": [{"url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:32:07.490Z"}}], "cna": {"title": "`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`", "source": {"advisory": "GHSA-33r3-4whc-44c2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "voidzero-dev", "product": "vite-plus", "versions": [{"status": "affected", "version": "< 0.1.17"}]}], "references": [{"url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "name": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:56:15.568Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41211", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:32:17.823Z", "dateReserved": "2026-04-18T02:51:52.975Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T00:56:15.568Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E67387AD-4C86-4DBB-9E24-0B25F6AEA79F", "versionEndExcluding": "0.1.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch."}], "id": "CVE-2026-41211", "lastModified": "2026-04-29T15:49:45.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T02:16:18.860", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "vite-plus", "source": "cna", "vendor": "voidzero-dev"}, "product": "vite-plus", "vendor": "voidzero-dev"}], "analysis": {"en": {"generated_at": "2026-04-28T15:01:29.924640+00:00", "value": {"mitigation_remediation": ["Upgrade Vite+ to version\u202f0.1.17 or later to apply the vendor\u2019s path\u2011sanitization patch.", "If an immediate upgrade is not possible, validate the version parameter to reject any values containing \u2018..\u2019 or absolute path separators, ensuring that only legitimate semantic\u2011version strings are accepted.", "Run Vite+ with the least privilege principle, restricting the process\u2019s write permissions to the VP_HOME directory and preventing writes to system locations."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file write via path traversal"}, "threat_synthesis": {"affected_systems": "Affected product is vite-plus from the voidzero-dev repository. Versions released before 0.1.17 are vulnerable. Later releases, including 0.1.17 and above, incorporate a patch that sanitizes the input path.", "description_and_impact": "Vite+ is a web development toolchain that, before version\u202f0.1.17, allowed callers to trigger the function downloadPackageManager() with an untrusted version string. The function used that string directly to construct filesystem paths inside VP_HOME/package_manager/<pm>/, but it did not sanitize or resolve relative components. A malicious caller can embed \u2018../\u2019 segments or an absolute path, causing the function to write to arbitrary locations outside the intended cache directory. These writes can delete, replace, or populate directories that are not part of the VP_HOME tree, potentially compromising the host filesystem or installing arbitrary code.", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high severity vulnerability. The EPSS score of less than\u202f1\u202f% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Because the function accepts a user\u2011provided parameter, the attack can be carried out by any caller that can invoke downloadPackageManager(). If the tool is exposed through a network service, remote actors could exploit it; otherwise, an attacker with local access could craft the request. The primary vector is a malicious input supplied to the downloadPackageManager() function, leading to path traversal and arbitrary file writes."}}}}, "created": "2026-04-28T09:26:28.619133+00:00", "updated": "2026-04-28T15:15:34.197711+00:00", "vendors": ["voidzero-dev", "voidzero-dev$PRODUCT$vite-plus"]}