CVE-2026-41211

UNKNOWN 0.0

`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.

CWE	CWE-22
Vendor	voidzero-dev
Product	vite-plus
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for voidzero-dev vite-plus

Be the first to know when new unknown vulnerabilities affecting voidzero-dev vite-plus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

voidzero-dev / vite-plus

< 0.1.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2