CVE-2026-47429
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
14/07/2026
Last modified:
14/07/2026
Description
Vitest is a testing framework powered by Vite. Prior to 3.2.5 and 4.1.0, the Vitest UI/API server on Windows used isFileServingAllowed incorrectly for /__vitest_attachment__, allowing \\?\\..\\ path traversal to read files outside the project; exposed API write and rerun features such as saveTestFile and rerun could also allow arbitrary script execution. This issue is fixed in versions 3.2.5 and 4.1.0.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
References to Advisories, Solutions, and Tools
- https://github.com/vitest-dev/vitest/commit/20e00ef7808de6d330c5e2fda530f686e08f1c8d
- https://github.com/vitest-dev/vitest/commit/af88b1f5d82844a4761ea9a977156c98e2b14ca8
- https://github.com/vitest-dev/vitest/pull/10445
- https://github.com/vitest-dev/vitest/pull/9350
- https://github.com/vitest-dev/vitest/releases/tag/v3.2.5
- https://github.com/vitest-dev/vitest/releases/tag/v4.1.0
- https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp



