CVE-2026-53632
NTLMv2 hash disclosure via UNC path handling on Windows
Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
INFO
Published Date :
June 22, 2026, 3:54 p.m.
Last Modified :
June 22, 2026, 3:54 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Solution
- Update launch-editor to version 2.14.1 or later.
- Remove dependency on vulnerable launch-editor versions.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-53632 vulnerability anywhere in the article.