| CVE-2026-44593 |
critical |
— |
9.5 |
|
|
|
22d ago |
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ulti… |
| CVE-2026-44594 |
high |
7.5 |
7.5 |
|
|
|
22d ago |
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in… |
| CVE-2025-59342 |
unknown |
— |
1.0 |
|
|
|
9mo ago |
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh |
| CVE-2026-27730 |
unknown |
— |
— |
|
|
|
3mo ago |
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh |
| CVE-2025-50180 |
unknown |
— |
— |
|
|
|
3mo ago |
esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh |
| CVE-2026-23644 |
unknown |
— |
— |
|
|
|
4mo ago |
esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages |
| CVE-2025-65026 |
unknown |
— |
— |
|
|
|
7mo ago |
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh |
| CVE-2025-65025 |
unknown |
— |
— |
|
|
|
7mo ago |
esm.sh CDN service has arbitrary file write via tarslip in github.com/esm-dev/esm.sh |
| CVE-2025-59341 |
unknown |
— |
— |
|
|
|
9mo ago |
esm.sh has File Inclusion issue in github.com/esm-dev/esm.sh |
