← back
CVE-2026-47429

Vitest: Arbitrary file can be read and executed when Vitest UI server is listening

CVSS 9.8 CRITICALCWE-22
Vexday Risk Score
45Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 9.8EPSS KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
09 Jun 2026Public PoC
14 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
vitest-dev · vitest
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.