Is vite-plus affected by CVE-2026-41211?

npm vite-plus is affected in <0.1.17.

Is CVE-2026-41211 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

high

CVE-2026-41211

Q: Is CVE-2026-41211 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

npm · vite-plus

Summary

Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

Severity: high
EPSS: 0.3% (p23)
Also known as: GHSA-33r3-4whc-44c2
Published: 2026-04-16

References

https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2
https://nvd.nist.gov/vuln/detail/CVE-2026-41211
https://github.com/voidzero-dev/vite-plus

Related advisories

CVE-2026-53633 — critical · npm/vite-plus
CVE-2026-53571 — high · npm/vite-plus
CVE-2026-53632 — medium · npm/vite-plus

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.