{"id":"CVE-2026-41211","summary":"`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`","details":"Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/\u003cpm\u003e/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.","aliases":["GHSA-33r3-4whc-44c2"],"modified":"2026-07-15T01:49:02.183321013Z","published":"2026-04-23T00:56:15.568Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41211.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41211.json"},{"type":"ADVISORY","url":"https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41211"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/voidzero-dev/vite-plus","events":[{"introduced":"0"},{"fixed":"e159b84a95199fc17a7ffddef14caeefc81c90f2"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.1.17"}]}}],"versions":["v0.1.17-alpha.5","v0.1.16","v0.1.15","v0.1.14","v0.1.14-alpha.3","v0.1.14-alpha.0","v0.1.13","v0.1.13-alpha.5","v0.1.13-alpha.4","v0.1.12","v0.1.12-alpha.2","v0.1.11","v0.1.10","v0.1.9","v0.1.8","v0.1.7","v0.1.6","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1","v0.1.1-alpha.0","v0.1.0","v0.0.2-g3cb78c3c.20260305-0800","v0.0.2-g17a37daf.20260304-1136","v0.0.2-gd8fe16bf.20260302-1535","v0.0.0-g61d318d2.20260227-0939","v0.0.0-g52709db6.20260226-1136","v0.0.0-g0fd4d06d.20260225-1306","v0.0.0-gd42e0ca6.20260225-0619","v0.0.0-e32b32e5.20260224-0706","v0.0.0-3262bda4.20260210-0221","v0.0.0-0bfcc90f.20260209-0731","v0.0.0-8a22e149.20260207-1117","v0.0.0-f48af939.20260205-0533","v0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab","v0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6","v0.0.0-dfd5c99899261c54d5b19dceaa831fab310d6171","v0.0.0-ffb4d08a8edafe855c59736c0a38ee85a2373ebb","v0.0.0-88c8bdd71344c6d38f5f11fb41e9070034598d79","v0.0.0-569bd560c8521f4cacc62e99477f14c99ca44a38","v0.0.0-9f9a209dd123932614c8b5a568375a002e34562b"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41211.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H"}]}