Browse all 7 CVE security advisories affecting esm-dev. AI-powered Chinese analysis, POCs, and references for each vulnerability.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27730 | esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route — esm.shCWE-918 | 5.3AI | MediumAI | 2026-02-25 |
| CVE-2025-50180 | esm.sh is vulnerable to full-response SSRF — esm.shCWE-918 | 7.5AI | HighAI | 2026-02-25 |
| CVE-2026-23644 | esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages — esm.shCWE-22 | 7.1 | - | 2026-01-18 |
| CVE-2025-65026 | esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript — esm.shCWE-94 | 6.1 | Medium | 2025-11-19 |
| CVE-2025-65025 | esm.sh CDN service has arbitrary file write via tarslip — esm.shCWE-22 | 8.2 | High | 2025-11-19 |
| CVE-2025-59342 | esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header — esm.shCWE-24 | 7.5AI | HighAI | 2025-09-17 |
| CVE-2025-59341 | Local File Inclusion in esm.sh — esm.shCWE-23 | 7.5AI | HighAI | 2025-09-17 |
This page lists every published CVE security advisory associated with esm-dev. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.