CVE-2026-53632 | launch-editor allows users to open files with line numbers i… | CVSS 5.5 MEDIUM

Description

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

Metadata

CVE ID: CVE-2026-53632
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-09 20:16 UTC
Published: 2026-06-22 15:54 UTC
Last updated: 2026-06-22 17:30 UTC
Primary CWE: CWE-73
CWE-73: External Control of File Name or Path
Vendor / Product: vitejs / launch-editor
Sources: cve.org · NVD

Severity & Metrics

5.5 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (3)

Vendor	Product	Platform	Versions
vitejs	launch-editor	—	< 2.14.1
vitejs	vite	—	>= 8.0.0, < 8.0.16, >= 7.0.0, < 7.3.5, < 6.4.3
vitejs	vite-plus	—	< 0.1.24

Weakness (CWE)

CWE	Source	Description
CWE-522	cna	CWE-522: Insufficiently Protected Credentials
CWE-73	cna	CWE-73: External Control of File Name or Path

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.5	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

References (1)

https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3 https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3