Description
server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server’s WebSocket.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, <= 6.4.1 >= 7.0.0, <= 7.3.1 >= 8.0.0, <= 8.0.4** Patched version(s): **6.4.2 7.3.2 8.0.5**
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Signal K Server: Arbitrary Prototype Read via `from` Field Bypass - CVE-2026-35038
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Storybook Dev Server is Vulnerable to WebSocket Hijacking - CVE-2026-27148
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 07, 2026