CVE-2026-47429
Vitest: Arbitrary file can be read and executed when Vitest UI server is listening
Vexday Risk Score
45Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 9.8EPSS —KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
09 Jun 2026Public PoC
14 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
vitest-dev · vitestpublic PoCs found — 1
githubgithub.com/az9713/cve-lite-on-pi★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
https://github.com/vitest-dev/vitest/commit/20e00ef7808de6d330c5e2fda530f686e08f1c8dhttps://github.com/vitest-dev/vitest/commit/af88b1f5d82844a4761ea9a977156c98e2b14ca8https://github.com/vitest-dev/vitest/pull/10445https://github.com/vitest-dev/vitest/pull/9350https://github.com/vitest-dev/vitest/releases/tag/v3.2.5https://github.com/vitest-dev/vitest/releases/tag/v4.1.0https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp