CVE-2026-44594
HIGHesm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
Title source: cnaDescription
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57
Scores
CVSS v3
7.5
EPSS
0.0032
EPSS Percentile
23.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
esm-dev/esm.sh
0 - 0.0.0-20250616164159-0593516c4cfaGo
esm-dev/esm.sh
<= 137
Published
May 28, 2026
Tracked Since
May 28, 2026