CVE-2025-65026

Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136

Description The esm.sh CDN service has an issue where CSS-to-JavaScript module conversion lacks proper sanitization. When a CSS file is requested with the ?module parameter, it is converted to a JavaScript module, embedding the CSS content into a template literal. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files. This can lead to Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. The vulnerable feature is the conversion of CSS files to JavaScript modules.

Recommendations Update to version 136 or later.