| ID |
CVE-2026-41211
|
| Sažetak |
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch. |
| Reference |
|
| CVSS |
| Base: | 10.0 |
| Impact: | 5.8 |
| Exploitability: | 3.9 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
NONE |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| NONE |
HIGH |
HIGH |
|
| CVSS vektor |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H |
| Zadnje važnije ažuriranje |
29-04-2026 - 15:49 |
| Objavljeno |
23-04-2026 - 02:16 |
