Description
server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server’s WebSocket.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, <= 6.4.1 >= 7.0.0, <= 7.3.1 >= 8.0.0, <= 8.0.4** Patched version(s): **6.4.2 7.3.2 8.0.5**
References
Related Issues
- Signal K Server: Arbitrary Prototype Read via `from` Field Bypass - CVE-2026-35038
- Storybook Dev Server is Vulnerable to WebSocket Hijacking - CVE-2026-27148
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 07, 2026


