top of page
perceptive_background_267k.jpg

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild pl…

Published:

27 mei 2026 om 22:00:00

Alert date:

28 mei 2026 om 17:06:19

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

A Local File Inclusion (LFI) vulnerability exists in esm.sh, a no-build content delivery network for web development. The vulnerability affects version 137 and earlier in the esbuild plugin's handling of the browser field in package.json files. Attackers can exploit this by publishing malicious npm packages that cause the server to read and return arbitrary files from the host filesystem during the build process. This represents a significant supply chain risk as it allows unauthorized access to sensitive server files through crafted npm packages.

Technical details

Mitigation steps:

Affected products:

esm.sh

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-44594
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page