CVE-2026-23644 — Vulnetix

CVE-2026-23644 PUBLISHED CVSS 7.699999809265137 HIGH

esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages

EPSS 0.12% · 30.2th percentile

Risk Scores

CVSS v4.0

7.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS Score

0.12%

30.2th percentile

Affected Products

Vendor	Product	Versions
esm-dev	esm.sh	< 0.0.0-20260116051925-c62ab83c589e, *
github.com	esm-dev/esm.sh	0, 0, 0.0.1
esm	esm.sh	0, 0

Timeline

Jan 18, 2026 CVE Published
Jan 19, 2026 EPSS Score
Jan 19, 2026 PoC Published
Jan 20, 2026 CVE Updated
Jan 22, 2026 EPSS Score
Jan 24, 2026 PoC Published
Jan 25, 2026 EPSS Score
Jan 27, 2026 EPSS Score
Jan 30, 2026 EPSS Score
Jan 30, 2026 Security Advisory
Feb 2, 2026 EPSS Score
Feb 5, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›