Publish Advisories

GHSA-4w7w-66w2-5vf9
GHSA-6qcc-6q27-whp8
GHSA-v2wj-q39q-566r

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4w7w-66w2-5vf9",
-  "modified": "2026-04-06T18:03:46Z",
+  "modified": "2026-04-07T14:18:32Z",
   "published": "2026-04-06T18:03:46Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-39365"
+  ],
   "summary": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
   "details": "### Summary\n\nAny files ending with `.map` even out side the project can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- have a sensitive content in files ending with `.map` and the path is predictable\n\n### Details\n\nIn Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON.\n\n### PoC\n1. Create a minimal PoC sourcemap outside the project root\n    ```bash\n    cat > /tmp/poc.map <<'EOF'\n    {\"version\":3,\"file\":\"x.js\",\"sources\":[],\"names\":[],\"mappings\":\"\"}\n    EOF\n    ```\n2. Start the Vite dev server (example)\n    ```bash\n    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080\n    ```\n3. Confirm that direct `/@fs` access is blocked by `strict` (returns 403)\n    <img width=\"4004\" height=\"1038\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab\" />\n4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map`\n    <img width=\"2790\" height=\"846\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2\" />",
   "severity": [

advisories/github-reviewed/2026/04/GHSA-6qcc-6q27-whp8/GHSA-6qcc-6q27-whp8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6qcc-6q27-whp8",
-  "modified": "2026-04-03T21:58:48Z",
+  "modified": "2026-04-07T14:19:34Z",
   "published": "2026-04-03T21:58:47Z",
   "aliases": [
     "CVE-2026-35471"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-6qcc-6q27-whp8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35471"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/patrickhener/goshs/commit/237f3af891a90df9b903b85f1cd3438040ca261a"
@@ -56,6 +60,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T21:58:47Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T22:16:23Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-v2wj-q39q-566r/GHSA-v2wj-q39q-566r.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v2wj-q39q-566r",
-  "modified": "2026-04-06T18:03:32Z",
+  "modified": "2026-04-07T14:18:17Z",
   "published": "2026-04-06T18:03:32Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-39364"
+  ],
   "summary": "Vite: `server.fs.deny` bypassed with queries",
   "details": "### Summary\n\nThe contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)\n- the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)\n\n### Details\n\nOn the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended.\n\n### PoC\n\n1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort`\n2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20`\n   <img width=\"3944\" height=\"1092\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f\" />\n3. Confirm that the same files can be retrieved with query parameters (expect 200):\n   <img width=\"2014\" height=\"373\" alt=\"image\" src=\"https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8\" />",
   "severity": [