CVE-2024-52011
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitizat
CVSS
8.3
High
EPSS
0.5%
p41
KEV
—
Exploit Today
12
0-100
Published: Jun 1, 2026 · Last modified: Jul 15, 2026 · CWE-77 · CWE-88
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
- github.comhttps://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e
- github.comhttps://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34342
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2024-52011
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2483853
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-52011.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-422718.8 HIG99.6%
KEV—80BerriAI LiteLLM Command Injection Vulnerability3dCVE-2023-349609.8 CRI99.9%
——30A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.9dCVE-2023-376799.8 CRI99.9%
——30A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.9dCVE-2026-80379.6 CRI98.6%
——30OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints5dCVE-2022-457018.8 HIG98.5%
——30Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.9dCVE-2023-337828.8 HIG98.3%
——30D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function.9d