Browse all 7 CVE security advisories affecting esm-dev. AI-powered Chinese analysis, POCs, and references for each vulnerability.
esm-dev is a software development tool primarily used for enterprise system management and configuration automation. Historically, it has been associated with multiple remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, accounting for its seven recorded CVEs. The application's complex architecture and extensive API surface have contributed to recurring security weaknesses, particularly in input validation and access control. While no major public security incidents have been documented, the consistent pattern of vulnerabilities suggests potential risks in environments where the tool is deployed with elevated privileges or exposed to untrusted networks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27730 | esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route — esm.shCWE-918 | 5.3AI | MediumAI | 2026-02-25 |
| CVE-2025-50180 | esm.sh is vulnerable to full-response SSRF — esm.shCWE-918 | 7.5AI | HighAI | 2026-02-25 |
| CVE-2026-23644 | esm.sh has path traversal in `extractPackageTarball` that enables file writes from malicious packages — esm.shCWE-22 | 7.1 | - | 2026-01-18 |
| CVE-2025-65026 | esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript — esm.shCWE-94 | 6.1 | Medium | 2025-11-19 |
| CVE-2025-65025 | esm.sh CDN service has arbitrary file write via tarslip — esm.shCWE-22 | 8.2 | High | 2025-11-19 |
| CVE-2025-59342 | esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header — esm.shCWE-24 | 7.5AI | HighAI | 2025-09-17 |
| CVE-2025-59341 | Local File Inclusion in esm.sh — esm.shCWE-23 | 7.5AI | HighAI | 2025-09-17 |
This page lists every published CVE security advisory associated with esm-dev. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.