PT-2026-3403 · Esm.Sh · Esm.Sh
Kelbyludwig
·
Published
2026-01-18
·
Updated
2026-03-03
·
CVE-2026-23644
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
esm.sh versions prior to 0.0.0-20260116051925-c62ab83c589e
Description
esm.sh is a content delivery network for web development. Versions prior to pseudoversion 0.0.0-20260116051925-c62ab83c589e contain a path traversal issue. The issue stems from an incomplete fix where
path.Clean normalizes a path but does not prevent absolute paths within a malicious tar file.Recommendations
Update to version 0.0.0-20260116051925-c62ab83c589e or later.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Esm.Sh