CVE-2026-53632
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.
Risk Assessment
This vulnerability allows an attacker to capture the user's NTLMv2 password through a remote SMB server, resulting in credential compromise.
Recommendation
It is recommended to update the launch-editor package to version 2.14.1 or later to mitigate this vulnerability.
Original NVD description (English source)
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

