CVE-2026-41211

`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Description

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.

INFO

Published Date :

2026-04-23T00:56:15.568Z

Last Modified :

2026-04-23T12:32:17.823Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-41211 vulnerability.

Vendors	Products
Voidzero	Vite\+
Voidzero-dev	Vite-plus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41211.

URL	Resource
https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability