Orihjfrog

#15451of 53,635
17.5Total CVSS
Vulnerabilities · 3
Medium
3
PT-2025-36528
5.3
2025-09-08
Vite · Vite · CVE-2025-58751
Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name within the public directory could be served bypassing the `server.fs` settings. Only applications that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), utilize the public directory feature (enabled by default), and contain a symlink in the public directory are affected. Recommendations: Update to Vite version 7.1.5 or later. Update to Vite version 7.0.7 or later. Update to Vite version 6.3.6 or later. Update to Vite version 5.4.20 or later.
PT-2025-36529
5.3
2025-09-08
Vite · Vite · CVE-2025-58752
Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only applications that explicitly expose the Vite dev server to the network (using `--host` or `server.host` config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This issue also affects the preview server, which allowed HTML files not under the output directory to be served. Recommendations: Update to Vite version 7.1.5 or later. Update to Vite version 7.0.7 or later. Update to Vite version 6.3.6 or later. Update to Vite version 5.4.20 or later.
PT-2025-31675
6.9
2025-07-28
Unknown · Webfinger.Js · CVE-2025-54590
**Name of the Vulnerable Software and Affected Versions** webfinger.js versions 2.8.0 and below **Description** webfinger.js is a TypeScript-based WebFinger client used in browser and Node.js environments. The `lookup` function does not prevent access to localhost services, only checking for hosts that start with "localhost" and end with a port. This allows attackers to perform blind Server-Side Request Forgery (SSRF) attacks by sending GET requests with controlled host, path, and port parameters to query services on the instance's host or local network. **Recommendations** Update to version 2.8.1 or later.