VYPR

Go modules package

github.com/esm-dev/esm.sh

pkg:golang/github.com/esm-dev/esm.sh

Vulnerabilities (9)

  • CVE-2026-44594higMay 12, 2026
    affected < 0.0.0-20250616164159-0593516c4cfafixed 0.0.0-20250616164159-0593516c4cfa

    ### Summary A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build pro

  • CVE-2026-44593criMay 12, 2026
    affected < 0.0.0-20260508100112-1960055e1d53fixed 0.0.0-20260508100112-1960055e1d53

    ### Impact - Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ###

  • CVE-2026-27730Feb 25, 2026
    affected < 0.0.0-20250616164159-0593516c4cfafixed 0.0.0-20250616164159-0593516c4cfa

    esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string

  • CVE-2025-50180Feb 25, 2026
    affected < 0.0.0-20250616164159-0593516c4cfafixed 0.0.0-20250616164159-0593516c4cfa

    esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

  • CVE-2026-23644Jan 18, 2026
    affected >= 0.0.1, <= 136

    esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a

  • CVE-2025-65026Nov 19, 2025
    affected < 0.0.0-20251118065157-87d2f6497574fixed 0.0.0-20251118065157-87d2f6497574

    esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?modul

  • CVE-2025-65025Nov 19, 2025
    affected < 0.0.0-20251117232647-9d77b88c3207fixed 0.0.0-20251117232647-9d77b88c3207

    esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths

  • CVE-2025-59342MedSep 17, 2025
    affected < 136.1fixed 136.1

    esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value

  • CVE-2025-59341HigSep 17, 2025
    affected <= 136

    esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host