Incorrect Behavior Order: Validate Before Canonicalize

CVE-2026-39364

High

8.2/10

Summary

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.0 prior to 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Apr 07, 2026

Incorrect Behavior Order: Validate Before Canonicalize

CVE-2026-39364

Summary

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS