VYPR

Vitest

by Vitest Dev

Source repositories

CVEs (3)

  • CVE-2026-47429criJun 1, 2026
    risk 0.59cvss epss 0.01

    ### Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. ### Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using…

  • CVE-2026-53633criJun 15, 2026
    risk 0.52cvss epss 0.01

    ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result,…

  • CVE-2026-47428criJun 1, 2026
    risk 0.52cvss epss 0.00

    ## Summary Vitest browser mode served `/__vitest_test__/` with the `otelCarrier` query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes…