esm.sh is a no-build CDN for web development that transpiles and serves npm packages directly to browsers. In version 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish a malicious npm package with a crafted `browser` field that causes the server to read and return arbitrary files from the ho [truncated]
CVE-2026-44593 is a high-severity path traversal vulnerability in esm.sh, a no-build CDN for web development, affecting version 137 and earlier. The vulnerability exists in the legacy router component, which retrieves responses from legacyServer and writes data to storage via buildStorage.Put. The router concatenates path components without sanitization to produce a storage key, allowing the underlying fi [truncated]
