CVE-2026-23644 - esm.sh has path traversal in `extractPackageTarball` that enables file writes fr...

CVE ID : CVE-2026-23644 Published : Jan. 18, 2026, 11:15 p.m. | 21 minutes ago Description : esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit , corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. Severity: 7.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...