Path Traversal in Esm-dev Esm.sh

CVE-2026-44593

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via bu…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (24.1th percentile) — read the EPSS interpretation.

Affected products

Esm-dev Esm.sh — versions <= 137

Weakness classification (CWE)

CWE-22 — Path Traversal

References

security-advisories@github.com (x_refsource_CONFIRM)