CVE-2026-53632
5.5
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
Summary
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | launch-editor | < 2.14.1 | affected |
| vitejs | vite | >= 8.0.0, < 8.0.16 | affected |
| vitejs | vite | >= 7.0.0, < 7.3.5 | affected |
| vitejs | vite | < 6.4.3 | affected |
| vitejs | vite-plus | < 0.1.24 | affected |
Weaknesses
- CWE-73: CWE-73: External Control of File Name or Path
- CWE-522: CWE-522: Insufficiently Protected Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.