All 7 CVE vulnerabilities found in esm.sh, with AI-generated Chinese analysis, references, and POCs.
Vendor: esm-dev
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27730 | esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route CWE-918 | 5.3AI | MediumAI | 2026-02-25 |
| CVE-2025-50180 | esm.sh is vulnerable to full-response SSRF CWE-918 | 7.5AI | HighAI | 2026-02-25 |
| CVE-2026-23644 | esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages CWE-22 | 7.1 | - | 2026-01-18 |
| CVE-2025-65026 | esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript CWE-94 | 6.1 | Medium | 2025-11-19 |
| CVE-2025-65025 | esm.sh CDN service has arbitrary file write via tarslip CWE-22 | 8.2 | High | 2025-11-19 |
| CVE-2025-59342 | esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header CWE-24 | 7.5AI | HighAI | 2025-09-17 |
| CVE-2025-59341 | Local File Inclusion in esm.sh CWE-23 | 7.5AI | HighAI | 2025-09-17 |
All 7 known CVE vulnerabilities affecting esm.sh with full Chinese analysis, references, and POCs where available.