Cyber Resilience

CVE-2026-23644

HighPublic PoC

Published: 18 January 2026

Published
18 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 30.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23644 is a high-severity Path Traversal (CWE-22) vulnerability in Esm Esm.Sh. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23644 is a path traversal vulnerability (CWE-22) in esm.sh, a no-build content delivery network (CDN) for web development. The issue affects versions prior to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e and stems from an incomplete fix, where the path.Clean function normalizes paths but does not prevent absolute paths within a malicious tar file.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Exploitation enables high integrity impact, allowing the attacker to traverse paths and potentially overwrite files outside the intended extraction directory via a crafted tar file.

Mitigation is provided by commit 9d77b88c320733ff6689d938d85d246a3af9af16, which corresponds to pseudoversion 0.0.0-20260116051925-c62ab83c589e and addresses the absolute path handling. Security practitioners should update to this pseudoversion or later. Further details appear in the GitHub security advisory GHSA-2657-3c98-63jq and the Go vulnerability database at pkg.go.dev/vuln/GO-2025-4138.

EU & UK References

Vulnerability details

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a…

more

malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing esm.sh CDN service via path traversal in tar extraction to achieve unauthorized file overwrite.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27730Same product: Esm Esm.Sh
CVE-2025-50180Same product: Esm Esm.Sh
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22

Affected Assets

esm
esm.sh
≤ 136

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like this path traversal vulnerability by updating to the fixed pseudoversion.

prevent

Mandates validation of information inputs such as paths in tar files to block absolute path traversal attempts.

detect

Enables integrity checks on software and files to identify unauthorized overwrites from path traversal exploitation.

References