CVE-2026-44593

216.73.216.233

· Published 28/05/2026 16:16 · Modified 29/05/2026 16:32

Labels: CVE-2026-44593 2026-05-28 CVE-2026-44593 CWE-22 [email protected]

Essential information

Published: 28/05/2026 16:16
Modified: 29/05/2026 16:32
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
esm.sh / esm.sh	`cpe:2.3:a:esm.sh:esm.sh:137:::::::*`
esm.sh / esm.sh	`cpe:2.3:a:esm.sh:esm.sh:<137:::::::*`