What is CVE-2026-39364?

### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) ### Details On the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended. ### PoC 1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort` 2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20` 3. Confirm that the same files can be retrieved with query parameters (expect 200):

What is the severity of CVE-2026-39364?

CVE-2026-39364 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-39364?

No known public exploits are currently available for CVE-2026-39364.

Is there a patch available for CVE-2026-39364?

Yes, patches are available for CVE-2026-39364. Check the vendor advisories for update instructions.

CVE-2026-39364 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
the sensitive file exists in the allowed directories specified by server.fs.allow
the sensitive file is denied with a pattern that matches a file by server.fs.deny

Details

On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.

PoC

Start the dev server: pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
Confirm that server.fs.deny is enforced (expect 403): curl -i http://127.0.0.1:5175/src/.env | head -n 20 <img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" />
Confirm that the same files can be retrieved with query parameters (expect 200): <img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" />

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2026-39364

Summary

Impact

Details

PoC