What is the severity of CVE-2026-53571?

CVE-2026-53571 has a CVSS v3 score of 7.5, which is classified as High severity.

Is there an exploit available for CVE-2026-53571?

No known public exploits are currently available for CVE-2026-53571.

Is there a patch available for CVE-2026-53571?

Yes, patches are available for CVE-2026-53571. Check the vendor advisories for update instructions.

CVE-2026-53571

Q: What is CVE-2026-53571?

### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) ### Details Vite’s dev server denies direct access to sensitive files through `server.fs.deny`, including entries such as `.env`, `.env.*`, and `*.{crt,pem}`. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as `/.env::$DATA?raw` are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Access via browser at `http://localhost:5173/.env::$DATA?raw` Example expected result: - `/.env::$DATA?raw` returns the contents of `.env` - `/tls.pem::$DATA?raw` returns the contents of `tls.pem`

Published: June 25, 2026

Last updated:3 hours ago (June 25, 2026)

Exploit: NoZero-day: NoPatch: YesTrend: Neutral

TL;DR

Updated June 25, 2026

CVE-2026-53571 is a high severity vulnerability with a CVSS score of 7.5. No known exploits currently, and patches are available.

Key Points

1High severity (CVSS 7.5/10)
2No known public exploits
3Vendor patches are available
4Strobes Priority Score: 508/1000 (Medium)
5Affects products from: Voidzero, Vitejs, Microsoft

Test this CVE with Agentic AI

Deploy autonomous AI agents to validate this vulnerability in your environment.

Severity Scores

CVSS v37.5

CVSS v20.0

Priority Score508.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

7.5

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
the sensitive file exists in the allowed directories specified by server.fs.allow
either of:
- the sensitive file exists in an NTFS volume
- the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Access via browser at http://localhost:5173/.env::$DATA?raw <img width="388" height="129" alt="deecc1315123883cfd0f9c26a002845a" src="https://github.com/user-attachments/assets/895c6012-4e2e-4a35-babb-69bbf3ee7170" />

Example expected result:

/.env::$DATA?raw returns the contents of .env
/tls.pem::$DATA?raw returns the contents of tls.pem

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:Network

Availability:Network

Patch References

Security [email protected]

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Voidzero	Vite\+
Vitejs	Vite
Microsoft	Windows

Advisories

GitHub Advisory

NVD: Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.

Cite This Page

APA Format

Strobes VI. (2026). CVE-2026-53571 - CVE Details and Analysis. Strobes VI. Retrieved June 25, 2026, from https://vi.strobes.co/cve/CVE-2026-53571

Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
the sensitive file exists in the allowed directories specified by server.fs.allow
either of:
- the sensitive file exists in an NTFS volume
- the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example expected result:

/.env::$DATA?raw returns the contents of .env
/tls.pem::$DATA?raw returns the contents of tls.pem

Vendor

Product

Voidzero

Vite\+

Vitejs

Vite

Microsoft

Windows

CVE-2026-53571

Summary

Impact

Details

PoC

Ready for Agentic Automated Testing?

CVE-2026-53571

Summary

Impact

Details

PoC