216.73.216.233

CVE-2026-23644

· Published 18/01/2026 23:15 · Modified 18/01/2026 23:15

Labels: CVE-2026-23644 2026-01-18CVE-2026-23644CWE-22[email protected]

Essential information

Published
18/01/2026 23:15
Modified
18/01/2026 23:15
Author
Creator
CVSS
7.7 HIGH (v3) 7.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
esm-dev / esm cpe:2.3:a:esm-dev:esm:*:*:*:*:*:*:*:*
golang / go cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

References