<Vulnerability name="CVE-2026-47428">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-14T19:30:19</PublicDate>
    <Bugzilla id="2500578" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500578" xml:lang="en:us">
vitest: Vitest: Arbitrary code execution via crafted browser-runner URL
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>8.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-79</CWE>
    <Details xml:lang="en:us" source="Mitre">
Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /__vitest_test__/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest server origin and recover VITEST_API_TOKEN for authenticated API calls. This issue is fixed in versions 4.1.6 and 5.0.0-beta.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Vitest, a testing framework. In Vitest Browser Mode, a remote attacker could craft a specific browser-runner URL that, when visited, would allow the execution of arbitrary JavaScript code within the Vitest server. This vulnerability could also lead to the recovery of the VITEST_API_TOKEN, potentially enabling unauthorized authenticated API calls and further compromise of the system.
    </Details>
    <Statement xml:lang="en:us">
Red Hat has assessed this flaw against its shipping products. The vulnerability requires @vitest/browser (Vitest's opt-in Browser Mode) to be installed and actively enabled; it does not affect the core `vitest` test runner used without Browser Mode. None of Red Hat's shipping products install or execute @vitest/browser, and none configure or enable Browser Mode. Where Vitest is present, it is used strictly as a build/test-time devDependency (core vitest and its non-browser submodules such as expect, runner, snapshot, spy, and utils), not as a shipped runtime component, and several affected streams already ship patched versions (&gt;=4.1.6) or versions below the vulnerable range. Accordingly, while the CVSS score reflects a genuinely severe flaw in Vitest Browser Mode upstream, Red Hat's shipping products are not reachable via this vulnerability.
    </Statement>
    <Mitigation xml:lang="en:us">
No mitigation is required for Red Hat shipping products, as the vulnerable @vitest/browser package and Browser Mode feature are not present or enabled in any Red Hat product. Development teams using Vitest as a build/test-time dependency should avoid introducing @vitest/browser or enabling Browser Mode in CI/local environments, and should upgrade to Vitest &gt;=4.1.6 (or &gt;=5.0.0-beta.3 on the 5.x beta line) where Vitest is used, as a matter of general hygiene.
    </Mitigation>
    <AffectedRelease impact="critical" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-13T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39058">RHSA-2026:39058</Advisory>
        <Package name="prometheus3-13-main">prometheus3-13-main-3.13.1-0.1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-26/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ansible-automation-platform-27/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:podman_desktop:1">
        <ProductName>Red Hat Build of Podman Desktop</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rh-podman-desktop.git</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>vitest</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift4/ose-agent-installer-ui-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47428
https://nvd.nist.gov/vuln/detail/CVE-2026-47428
https://github.com/vitest-dev/vitest/commit/18af98cee1830604d57f6a02bf28f8067cdffc06
https://github.com/vitest-dev/vitest/commit/3514f9fa135c90e1c35754fc4d27c9cf351faafa
https://github.com/vitest-dev/vitest/pull/10283
https://github.com/vitest-dev/vitest/pull/10285
https://github.com/vitest-dev/vitest/releases/tag/v4.1.6
https://github.com/vitest-dev/vitest/releases/tag/v5.0.0-beta.3
https://github.com/vitest-dev/vitest/security/advisories/GHSA-2h32-95rg-cppp
    </References>
</Vulnerability>