CVE-2026-44593
esm.sh: Legacy Route Path Traversal Can Lead to RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.
| CWE | CWE-22 |
| Vendor | esm-dev |
| Product | esm.sh |
| Published | May 28, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for esm-dev esm.sh
Be the first to know when new unknown vulnerabilities affecting esm-dev esm.sh are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
esm-dev / esm.sh
<= 137