CVE-2026-23644

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23644

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23644.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23644

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

SUSE-SU-2026:0757-1

Published

2026-01-18T22:49:29.676Z

Modified

2026-03-13T04:09:31.001423Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages

Details

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23644.json"
}

References

Affected packages

Git / github.com/esm-dev/esm.sh

Affected ranges

Type

GIT

Repo

https://github.com/esm-dev/esm.sh

Events

Introduced

Fixed

1ad31b6352bb0a064ece812f6f360e4850e16051

Fixed

9d77b88c320733ff6689d938d85d246a3af9af16

Fixed

c62ab83c589e7b421a0e1376d2a00a4e48161093

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "136"
        }
    ]
}

Affected versions

Other

v100

v101

v102

v103

v104

v105

v106

v107

v108

v109

v110

v111

v112

v113

v114

v115

v116

v117

v119

v120

v121

v122

v123

v124

v125

v126

v127

v128

v129

v130

v131

v132

v133

v134

v135

v135_1

v34

v35

v37

v38

v39

v40

v41

v43

v44

v45

v46

v47

v49

v50

v51

v52

v53

v55

v56

v57

v59

v60

v61

v62

v63

v64

v65

v66

v67

v68

v69

v70

v71

v72

v73

v74

v75

v76

v77

v78

v79

v80

v81

v82

v83

v84

v85

v86

v87

v88

v89

v90

v91

v92

v93

v94

v95

v96

v97

v98

v99

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23644.json"