Vulnerable Library - @forgerock/pingone-scripts-0.0.0.tgz
Path to vulnerable library: /package.json
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (@forgerock/pingone-scripts version) |
Remediation Possible** |
| CVE-2026-39364 |
 High |
7.5 |
vite-7.3.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-39363 |
High |
7.5 |
vite-7.3.1.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-39365 |
 Medium |
5.3 |
vite-7.3.1.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-39364
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/pingone-scripts-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- ❌ vite-7.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39364
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
CVE-2026-39363
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/pingone-scripts-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- ❌ vite-7.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
CVE-2026-39365
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @forgerock/pingone-scripts-0.0.0.tgz (Root Library)
- vitest-3.2.4.tgz
- ❌ vite-7.3.1.tgz (Vulnerable Library)
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39365
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4w7w-66w2-5vf9
Release Date: 2026-04-07
Fix Resolution: vite - 7.3.2,vite - 6.4.2,vite - 8.0.5
Path to vulnerable library: /package.json
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39364
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v2wj-q39q-566r
Release Date: 2026-04-07
Fix Resolution: https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v8.0.5
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39363
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p9ff-h696-f583
Release Date: 2026-04-07
Fix Resolution: vite-plus - 0.1.16,https://github.com/vitejs/vite.git - v7.3.2,https://github.com/vitejs/vite.git - v6.4.2,https://github.com/vitejs/vite.git - v8.0.5
Vulnerable Library - vite-7.3.1.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 2de357c456eebbefdaa6afc21a8f601a5d91d1a1
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Publish Date: 2026-04-07
URL: CVE-2026-39365
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4w7w-66w2-5vf9
Release Date: 2026-04-07
Fix Resolution: vite - 7.3.2,vite - 6.4.2,vite - 8.0.5