Path Traversal Vulnerability in esm.sh CDN Software
CVE-2026-23644

7.7HIGH

Key Information:

Vendor

Esm-dev

Status
Esm.sh
Vendor
CVE Published:
18 January 2026

What is CVE-2026-23644?

The esm.sh content delivery network (CDN) for web development has a path traversal vulnerability due to an incomplete fix in its handling of malicious tar files. The vulnerability exists in versions prior to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e, where the path normalization function does not sufficiently prevent absolute paths from being processed. As a result, an attacker could exploit this weakness to access unauthorized directories on the server. A fix has been applied in the specified version to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

esm.sh < 0.0.0-20260116051925-c62ab83c589e

References

https://github.com/esm-dev/esm.sh/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff...
x_refsource_MISC
https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b42...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.