PatchSiren cyber security CVE debrief
CVE-2026-44593 esm-dev CVE debrief
CVE-2026-44593 is a high-severity path traversal vulnerability in esm.sh, a no-build CDN for web development, affecting version 137 and earlier. The vulnerability exists in the legacy router component, which retrieves responses from legacyServer and writes data to storage via buildStorage.Put. The router concatenates path components without sanitization to produce a storage key, allowing the underlying file system to resolve relative path segments. An attacker can craft a request that writes data to arbitrary locations on the server. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The issue was disclosed on 2026-05-28 with a CVSS 4.0 score of 8.7 (HIGH severity).
- Vendor
- esm-dev
- Product
- esm.sh
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running self-hosted esm.sh instances at version 137 or earlier; developers using esm.sh CDN infrastructure; security teams monitoring supply chain and build infrastructure components.
Technical summary
The esm.sh legacy router constructs storage keys by concatenating URL path components without sanitization. When buildStorage.Put uses this key, the file system resolves relative path segments (e.g., ../), enabling writes outside intended directories. Attackers can exploit this by crafting requests with traversal sequences to overwrite arbitrary files.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade esm.sh to a version newer than 137 that contains the security fix
- Review storage write operations in legacy router implementations for path sanitization
- Implement input validation to sanitize path components before storage key generation
- Audit file system permissions to restrict write access to sensitive directories
- Monitor for anomalous write operations to unexpected file system locations
- Review application logs for requests containing path traversal sequences (../, .., etc.)
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed via GitHub Security Advisory GHSA-3636-h3vx-6465. CVSS vector indicates network attack vector with low attack complexity, no privileges required, and high integrity impact.
Official resources
-
CVE-2026-44593 CVE record
CVE.org
-
CVE-2026-44593 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28