CVE-2026-41211

Name of the Vulnerable Software and Affected Versions Vite+ versions prior to 0.1.17

Description The downloadPackageManager() function accepts an untrusted version string and uses it directly in filesystem paths. This allows a caller to use absolute paths or ../ segments to escape the VP HOME/package manager/<pm>/ cache root, enabling the deletion, replacement, and population of directories outside the intended cache location.

Recommendations Update to version 0.1.17.