CVE-2026-53632: CWE-73: External Control of File Name or Path in vitejs launch-editor
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
AI Analysis
Technical Summary
The launch-editor package used by vitejs enables users to open files with line numbers in an editor from Node.js. Versions prior to 2.14.1 improperly handle external file paths, allowing arbitrary UNC paths to be accessed. Opening such paths triggers Windows to perform NTLM authentication to the remote SMB server specified by the UNC path, leaking the user's NTLMv2 password hash. This hash can be captured by an attacker and cracked offline, compromising user credentials. The vulnerability is tracked as CVE-2026-53632 and is classified under CWE-73 (External Control of File Name or Path) and CWE-522 (Insufficiently Protected Credentials). The vulnerability has a CVSS 4.0 score of 5.5 (medium severity). The issue is resolved in launch-editor version 2.14.1.
Potential Impact
Exploitation of this vulnerability can lead to the leakage of NTLMv2 password hashes to an attacker-controlled SMB server when a UNC path is opened via the vulnerable launch-editor package. This can result in credential compromise if the attacker successfully cracks the captured hashes offline. There is no indication of remote code execution or direct system compromise beyond credential exposure.
Mitigation Recommendations
This vulnerability is fixed in launch-editor version 2.14.1. Users and organizations should upgrade to version 2.14.1 or later to remediate this issue. No official remediation level or temporary fix is provided beyond upgrading. Patch status is confirmed by the vendor stating the fix is in 2.14.1. Until upgraded, avoid opening UNC paths via launch-editor to prevent NTLM hash leakage.
CVE-2026-53632: CWE-73: External Control of File Name or Path in vitejs launch-editor
Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
CVSS v4.0
Score 5.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The launch-editor package used by vitejs enables users to open files with line numbers in an editor from Node.js. Versions prior to 2.14.1 improperly handle external file paths, allowing arbitrary UNC paths to be accessed. Opening such paths triggers Windows to perform NTLM authentication to the remote SMB server specified by the UNC path, leaking the user's NTLMv2 password hash. This hash can be captured by an attacker and cracked offline, compromising user credentials. The vulnerability is tracked as CVE-2026-53632 and is classified under CWE-73 (External Control of File Name or Path) and CWE-522 (Insufficiently Protected Credentials). The vulnerability has a CVSS 4.0 score of 5.5 (medium severity). The issue is resolved in launch-editor version 2.14.1.
Potential Impact
Exploitation of this vulnerability can lead to the leakage of NTLMv2 password hashes to an attacker-controlled SMB server when a UNC path is opened via the vulnerable launch-editor package. This can result in credential compromise if the attacker successfully cracks the captured hashes offline. There is no indication of remote code execution or direct system compromise beyond credential exposure.
Mitigation Recommendations
This vulnerability is fixed in launch-editor version 2.14.1. Users and organizations should upgrade to version 2.14.1 or later to remediate this issue. No official remediation level or temporary fix is provided beyond upgrading. Patch status is confirmed by the vendor stating the fix is in 2.14.1. Until upgraded, avoid opening UNC paths via launch-editor to prevent NTLM hash leakage.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T20:16:59.647Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39735beed863c81e396246
Added to database: 06/22/2026, 17:39:39 UTC
Last enriched: 06/22/2026, 17:56:05 UTC
Last updated: 06/22/2026, 20:07:53 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.