Skip to content

CVE-2026-39363 - Vite Dev Server - Arbitrary File Read#15823

Merged
DhiyaneshGeek merged 4 commits intomainfrom
CVE-2026-39363
Apr 17, 2026
Merged

CVE-2026-39363 - Vite Dev Server - Arbitrary File Read#15823
DhiyaneshGeek merged 4 commits intomainfrom
CVE-2026-39363

Conversation

@theamanrawat
Copy link
Copy Markdown
Contributor

@theamanrawat theamanrawat commented Apr 7, 2026
edited
Loading

PR Information

  • Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
  • References:

Template validation

  • Validated with a host running a vulnerable version and/or configuration (True Positive)
  • Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Additional References:

@theamanrawat theamanrawat self-assigned this Apr 7, 2026
@neo-by-projectdiscovery-dev
Copy link
Copy Markdown
Contributor

neo-by-projectdiscovery-dev bot commented Apr 7, 2026
edited
Loading

Neo - Nuclei Template Review

High: 1

Current PR state: 1 high active finding.

Highlights

  • High: Host Header Injection in WebSocket Upgrade Request in javascript/cves/2026/CVE-2026-39363.yaml:33
High (1)
  • Host Header Injection in WebSocket Upgrade Requestjavascript/cves/2026/CVE-2026-39363.yaml:33
    The WebSocket upgrade request on line 33 hardcodes localhost in the Host header instead of using the dynamic target_host variable. When scanning remote Vite dev servers (e.g., example.com:5173), the template sends Host: localhost:5173 instead of Host: example.com:5173, which will cause the connection to fail or be rejected by the server.

Comment @pdneo help for available commands. · Open in Neo

@theamanrawat theamanrawat added the Status: In Progress This issue is being worked on, and has someone assigned. label Apr 7, 2026
@github-actions github-actions bot requested a review from ritikchaddha April 7, 2026 06:40
@theamanrawat theamanrawat added Done Ready to merge and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Apr 7, 2026
neo-by-projectdiscovery-dev[bot]
neo-by-projectdiscovery-dev bot reviewed Apr 9, 2026
View reviewed changes
Comment thread javascript/cves/2026/CVE-2026-39363.yaml Outdated
theamanrawat and others added 2 commits April 13, 2026 10:46
@theamanrawat @neo-by-projectdiscovery-dev
Update javascript/cves/2026/CVE-2026-39363.yaml
520a5fd 
Co-authored-by: neo-by-projectdiscovery-dev[bot] <261965179+neo-by-projectdiscovery-dev[bot]@users.noreply.github.com>
@DhiyaneshGeek
Fix formatting in CVE-2026-39363.yaml
8abc323
@DhiyaneshGeek DhiyaneshGeek merged commit f283262 into main Apr 17, 2026
4 checks passed
@DhiyaneshGeek DhiyaneshGeek deleted the CVE-2026-39363 branch April 17, 2026 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neo-by-projectdiscovery-dev neo-by-projectdiscovery-dev[bot] neo-by-projectdiscovery-dev[bot] left review comments

@ritikchaddha ritikchaddha ritikchaddha approved these changes

Assignees

@theamanrawat theamanrawat

Labels

Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@theamanrawat @ritikchaddha @DhiyaneshGeek @pussycat0x