CVE Catalog

CVE-2026-53632

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.

Risk Assessment

This vulnerability allows an attacker to capture the user's NTLMv2 password through a remote SMB server, resulting in credential compromise.

Recommendation

It is recommended to update the launch-editor package to version 2.14.1 or later to mitigate this vulnerability.

Original NVD description (English source)

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS