CVE-2026-23644
HIGHesm.sh <0.0.0-20260116051925-c62ab83c589e - Path Traversal
Title source: llmDescription
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq
Patch x_refsource_misc
https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16
Patch x_refsource_misc
https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093
Various Sources x_refsource_misc
https://pkg.go.dev/vuln/GO-2025-4138
Scores
CVSS v3
7.5
EPSS
0.0011
EPSS Percentile
28.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
esm/esm.sh
< 136
esm-dev/esm.sh
0.0.1Go
Published
Jan 18, 2026
Tracked Since
Feb 18, 2026