CVE-2026-44594
published 2026-05-28CVE-2026-44594: esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.32%
23.8th percentile
esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esm-dev | esm.sh | <= 137 | — |
| github.com | esm-dev_esm.sh | >= 0 < 0.0.0-20250616164159-0593516c4cfa | 0.0.0-20250616164159-0593516c4cfa |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-28
Published