CVE-2026-39365 is a CISA KEV-confirmed path traversal in Vite’s development server (CVSS 7.5, High) that allows unauthenticated reads of arbitrary source map files outside the project root, including .env files, private keys, and configuration files accessible by the Vite process. Affected versions span three active release branches: 6.0.0 through 6.4.1, 7.x through 7.3.1, and 8.x through 8.0.4. CISA KEV confirmation signals active exploitation; any Vite dev server reachable by untrusted parties is an immediate source disclosure and credential exposure risk.