RECENT vulnerabilities in the Vitest framework, which has over 53 million weekly downloads, expose development setups to remote code execution risks. Key flaws include:
1. **CVE-2026-47428**: An unsanitized query parameter vulnerability allows attackers to craft malicious URLs to execute arbitrary code and steal sensitive authentication tokens.
2. **CVE-2026-47429**: A file system loophole on Windows enables unauthenticated remote file access via path manipulation strings, allowing hackers to access confidential project data.
3. A flaw in the browser debugging mechanism allows malicious downloads directly into the project directory, bypassing administrative restrictions.
To mitigate these risks, users must update to versions 4.1.6 or 5.0.0-beta.3, which introduce improved verification controls and default deactivation of dangerous automation actions for public networks.