Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-2h32-95rg-cppp | Vitest browser mode serves unsanitized otelCarrier query parameter as inline script |
Wed, 15 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Vitest.dev
Vitest.dev vitest |
|
| Vendors & Products |
Vitest.dev
Vitest.dev vitest |
Wed, 15 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /__vitest_test__/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest server origin and recover VITEST_API_TOKEN for authenticated API calls. This issue is fixed in versions 4.1.6 and 5.0.0-beta.3. | |
| Title | Vitest browser mode serves unsanitized otelCarrier query parameter as inline script | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T13:20:14.275Z
Reserved: 2026-05-19T19:37:43.527Z
Link: CVE-2026-47428
Updated: 2026-07-15T13:20:01.057Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T16:30:04Z
Github GHSA