CVE-2026-41211

CRITICAL WAF: High

CVSS 10.0 Published: 2026-04-23

CWE-22

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager//` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.

WAF Coverage Analysis

Path Traversal High WAF Coverage

OWASP: A01:2021 Broken Access Control

930xxx - Local File Inclusion

Affected Software

Vendor	Product	Version
voidzero	vite\+	up to 0.1.17

References

github.com (Exploit, Mitigation, Vendor Advisory)

Back to CVE Database