CVE-2026-53632
NTLMv2 hash disclosure via UNC path handling on Windows
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the userβs NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
| CWE | CWE-73 CWE-522 |
| Vendor | vitejs |
| Product | launch-editor |
| Published | Jun 22, 2026 |
| Last Updated | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for vitejs launch-editor
Be the first to know when new unknown vulnerabilities affecting vitejs launch-editor are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
vitejs / launch-editor
< 2.14.1
vitejs / vite
>= 8.0.0, < 8.0.16 >= 7.0.0, < 7.3.5 < 6.4.3
vitejs / vite-plus
< 0.1.24