CVE-2026-44593EPSS p27.9%

CVE-2026-44593CVE-2026-44593

Description

esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server.

Scoring

EPSS0.36% probability of exploitation · percentile 27.9% · 2026-06-19T12:03:05Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65025
CVE
CVE-2025-65026
CVE
CVE-2026-35392
CVE
CVE-2026-22799
CVE
CVE-2026-34475
CVE
CVE-2026-36762
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.