CVE-2026-27730 HIGH

CVE-2026-27730: esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

Vendor Esm-Dev

Product esm.sh

Weakness CWE-918 · SSRF

Published February 25, 2026

Last update February 25, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.

Key dates

02Disclosure timeline

February 25, 2026 CVE published

February 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27730 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2024-51981 Unauthenticated Server Side Request Forgery (SSRF) via WS-Eventing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Toshiba Tec, and Konica Minolta, Inc. CVE-2020-24444 Blind SSRF in Forms add-on for AEM CVE-2024-3485 Server-Side Request Forgery vulnerability in iManager CVE-2023-46207 WordPress Motors – Car Dealer & Classified Ads Plugin <= 1.4.6 is vulnerable to Server Side Request Forgery (SSRF) CVE-2026-45082 Karakeep has a SSRF Protection Bypass via Redirect Handling