CVE-2026-27730

Name of the Vulnerable Software and Affected Versions esm.sh versions up to and including 137

Description esm.sh is a content delivery network (CDN) for web development. A server-side request forgery (SSRF) issue (CWE-918) exists in the /http(s) fetch route. The service attempts to prevent requests to localhost or internal targets, but the validation relies on hostname string checks, which can be circumvented using DNS alias domains. This allows an external party to make the esm.sh server fetch internal localhost services.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.