cbcvebase.
CVE-2025-50180
published 2026-02-25

CVE-2025-50180: esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.38%
29.9th percentile
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

Affected

7 ranges
VendorProductVersion rangeFixed in
esm-devesm.sh
esmesm.sh< 137137
github.comesm-dev_esm.sh>= 0 < 0.0.0-20250616164159-0593516c4cfa0.0.0-20250616164159-0593516c4cfa
msrccbl2_kernel_5.15.167.1-2_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.173.1-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.