CVE-2023-49293

MEDIUMNVD 6.16.1—Elevated

6.1

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (...), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

CVSS v3: 6.1
EG Score: 6.1(medium)
EPSS: 91.8%
KEV: Not listed

Published

December 4, 2023

Last Modified

November 21, 2024

References (2)

security-advisories@githubhttps://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97
af854a3a-2127-422b-91ae-364da2661108https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97

Affected Packages

(1 across 1 ecosystem)

npm(1)

Package	Vulnerable range	Fixed in	Dependents
vite	—	5.0.5	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-79Cross-site Scripting (XSS)

Data Freshness Timeline

(refreshed 10× in last 7d / 18× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-02 20:12 UTCepss_batch
2026-06-02 20:12 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-29 13:43 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:39 UTCepss_batch
2026-05-27 13:39 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-24 12:49 UTCEG score recompute

Publicly available exploits

(1 reference)

Working exploit code is in the public domain. Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

Nucleihttp/cves/2023/CVE-2023-49293.yaml
First seen Jan 1, 2023
Vite dev server - Cross-Site Scripting
Open source ↗

Frequently asked(5)

What is CVE-2023-49293?

CVE-2023-49293 is a medium vulnerability published on December 4, 2023. Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject…

When was CVE-2023-49293 disclosed?

CVE-2023-49293 was first published in the National Vulnerability Database on December 4, 2023, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2023-49293 actively exploited?

CVE-2023-49293 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 91.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2023-49293?

CVE-2023-49293 has a CVSS v3 base score of 6.1 (NVD).

How do I remediate CVE-2023-49293?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2023-49293, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-49293

Explore →

Is Your Infrastructure Affected by CVE-2023-49293?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2023-49293

📅 Published

🔄 Last Modified

🔗 References (2)