Vitest

An arbitrary file read vulnerability exists in Vitest when the UI server is listening, especially when exposed to the network, allowing an attacker to read arbitrary files outside the project directory and potentially execute arbitrary scripts.

Vitest browser mode is vulnerable to reflected cross-site scripting (XSS) due to the `otelCarrier` query parameter being inserted directly into an inline module script without sanitization, enabling an attacker to craft a browser-runner URL that executes arbitrary JavaScript in the Vitest server origin, potentially leading to remote code execution (RCE).