Vulnerability Details CVE-2026-23644
esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.1%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-23644
-
cpe:2.3:a:esm:esm.sh:100
-
cpe:2.3:a:esm:esm.sh:101
-
cpe:2.3:a:esm:esm.sh:102
-
cpe:2.3:a:esm:esm.sh:103
-
cpe:2.3:a:esm:esm.sh:104
-
cpe:2.3:a:esm:esm.sh:105
-
cpe:2.3:a:esm:esm.sh:106
-
cpe:2.3:a:esm:esm.sh:107
-
cpe:2.3:a:esm:esm.sh:108
-
cpe:2.3:a:esm:esm.sh:109
-
cpe:2.3:a:esm:esm.sh:110
-
cpe:2.3:a:esm:esm.sh:111
-
cpe:2.3:a:esm:esm.sh:112
-
cpe:2.3:a:esm:esm.sh:113
-
cpe:2.3:a:esm:esm.sh:114
-
cpe:2.3:a:esm:esm.sh:115
-
cpe:2.3:a:esm:esm.sh:116
-
cpe:2.3:a:esm:esm.sh:117
-
cpe:2.3:a:esm:esm.sh:118
-
cpe:2.3:a:esm:esm.sh:119
-
cpe:2.3:a:esm:esm.sh:120
-
cpe:2.3:a:esm:esm.sh:121
-
cpe:2.3:a:esm:esm.sh:122
-
cpe:2.3:a:esm:esm.sh:123
-
cpe:2.3:a:esm:esm.sh:124
-
cpe:2.3:a:esm:esm.sh:125
-
cpe:2.3:a:esm:esm.sh:126
-
cpe:2.3:a:esm:esm.sh:127
-
cpe:2.3:a:esm:esm.sh:128
-
cpe:2.3:a:esm:esm.sh:129
-
cpe:2.3:a:esm:esm.sh:130
-
cpe:2.3:a:esm:esm.sh:131
-
cpe:2.3:a:esm:esm.sh:132
-
cpe:2.3:a:esm:esm.sh:133
-
cpe:2.3:a:esm:esm.sh:134
-
cpe:2.3:a:esm:esm.sh:135
-
cpe:2.3:a:esm:esm.sh:135_1
-
cpe:2.3:a:esm:esm.sh:135_2
-
cpe:2.3:a:esm:esm.sh:135_3
-
cpe:2.3:a:esm:esm.sh:135_4
-
cpe:2.3:a:esm:esm.sh:135_5
-
cpe:2.3:a:esm:esm.sh:135_6
-
cpe:2.3:a:esm:esm.sh:135_7
-
cpe:2.3:a:esm:esm.sh:34
-
cpe:2.3:a:esm:esm.sh:35
-
cpe:2.3:a:esm:esm.sh:37
-
cpe:2.3:a:esm:esm.sh:38
-
cpe:2.3:a:esm:esm.sh:39
-
cpe:2.3:a:esm:esm.sh:40
-
cpe:2.3:a:esm:esm.sh:41
-
cpe:2.3:a:esm:esm.sh:43
-
cpe:2.3:a:esm:esm.sh:44
-
cpe:2.3:a:esm:esm.sh:45
-
cpe:2.3:a:esm:esm.sh:46
-
cpe:2.3:a:esm:esm.sh:47
-
cpe:2.3:a:esm:esm.sh:48
-
cpe:2.3:a:esm:esm.sh:49
-
cpe:2.3:a:esm:esm.sh:50
-
cpe:2.3:a:esm:esm.sh:51
-
cpe:2.3:a:esm:esm.sh:52
-
cpe:2.3:a:esm:esm.sh:53
-
cpe:2.3:a:esm:esm.sh:55
-
cpe:2.3:a:esm:esm.sh:56
-
cpe:2.3:a:esm:esm.sh:57
-
cpe:2.3:a:esm:esm.sh:59
-
cpe:2.3:a:esm:esm.sh:60
-
cpe:2.3:a:esm:esm.sh:61
-
cpe:2.3:a:esm:esm.sh:62
-
cpe:2.3:a:esm:esm.sh:63
-
cpe:2.3:a:esm:esm.sh:64
-
cpe:2.3:a:esm:esm.sh:65
-
cpe:2.3:a:esm:esm.sh:66
-
cpe:2.3:a:esm:esm.sh:67
-
cpe:2.3:a:esm:esm.sh:68
-
cpe:2.3:a:esm:esm.sh:69
-
cpe:2.3:a:esm:esm.sh:70
-
cpe:2.3:a:esm:esm.sh:71
-
cpe:2.3:a:esm:esm.sh:72
-
cpe:2.3:a:esm:esm.sh:73
-
cpe:2.3:a:esm:esm.sh:74
-
cpe:2.3:a:esm:esm.sh:75
-
cpe:2.3:a:esm:esm.sh:76
-
cpe:2.3:a:esm:esm.sh:77
-
cpe:2.3:a:esm:esm.sh:78
-
cpe:2.3:a:esm:esm.sh:79
-
cpe:2.3:a:esm:esm.sh:80
-
cpe:2.3:a:esm:esm.sh:81
-
cpe:2.3:a:esm:esm.sh:82
-
cpe:2.3:a:esm:esm.sh:83
-
cpe:2.3:a:esm:esm.sh:84
-
cpe:2.3:a:esm:esm.sh:85
-
cpe:2.3:a:esm:esm.sh:86
-
cpe:2.3:a:esm:esm.sh:87
-
cpe:2.3:a:esm:esm.sh:88
-
cpe:2.3:a:esm:esm.sh:89
-
cpe:2.3:a:esm:esm.sh:90
-
cpe:2.3:a:esm:esm.sh:91
-
cpe:2.3:a:esm:esm.sh:92
-
cpe:2.3:a:esm:esm.sh:93
-
cpe:2.3:a:esm:esm.sh:94
-
cpe:2.3:a:esm:esm.sh:95
-
cpe:2.3:a:esm:esm.sh:96
-
cpe:2.3:a:esm:esm.sh:97
-
cpe:2.3:a:esm:esm.sh:98
-
cpe:2.3:a:esm:esm.sh:99