CVE-2026-44593

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier

Description The legacy router retrieves a response from legacyServer, parses the request path, and writes data to storage using the buildStorage.Put() function. Because the router concatenates path components without sanitization, it produces a storage key that allows the underlying file system to resolve relative segments. This enables an attacker to craft requests that write data to arbitrary locations on the server, potentially leading to privilege escalation or remote code execution by overwriting critical binaries or scripts.

Recommendations Update to a version later than 137.