CVE-2026-44594 HIGH

CVE-2026-44594: esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Vendor Esm-Dev
Product esm.sh
Weakness CWE-22 · Path traversal
Published May 28, 2026
Last update May 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated