CVE-2026-47428

CVE-2026-47428 describes a vulnerability found in Vitest's browser mode, specifically within the `/__vitest_test__/` route. The issue arises because the `otelCarrier` query parameter is directly embedded into an inline module script in the HTML response without proper sanitization. This oversight allows an attacker to inject arbitrary JavaScript code by crafting a malicious browser-runner URL. When a victim navigates to such a crafted URL while the Vitest browser server is active, the injected script can execute within the Vitest server's origin. This enables the attacker to recover the `VITEST_API_TOKEN`, which is used for authenticating Vitest WebSocket APIs. With this token, authenticated API calls can be made, potentially leading to server-side code execution by overwriting critical configuration files, such as `vite.config.ts`.