CVE-2026-44593

Sažetak

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

Reference

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

02-06-2026 - 16:16

Objavljeno

28-05-2026 - 16:16