NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-41211

Summary	Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.
Publication Date	April 23, 2026, 11:16 a.m.
Registration Date	April 25, 2026, 4:06 a.m.
Last Update	April 24, 2026, 11:50 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2	security-advisories@github.com
2	https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html