Cyber Posture

CVE-2026-23644

HighPublic PoC

Published: 18 January 2026

Published
18 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0011 28.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23644 is a high-severity Path Traversal (CWE-22) vulnerability in Esm Esm.Sh. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote exploitation of public-facing esm.sh CDN service via path traversal in tar extraction to achieve unauthorized file overwrite.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a…

more

malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue.

Deeper analysisAI

CVE-2026-23644 is a path traversal vulnerability (CWE-22) in esm.sh, a no-build content delivery network (CDN) for web development. The issue affects versions prior to Go pseudoversion 0.0.0-20260116051925-c62ab83c589e and stems from an incomplete fix, where the path.Clean function normalizes paths but does not prevent absolute paths within a malicious tar file.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Exploitation enables high integrity impact, allowing the attacker to traverse paths and potentially overwrite files outside the intended extraction directory via a crafted tar file.

Mitigation is provided by commit 9d77b88c320733ff6689d938d85d246a3af9af16, which corresponds to pseudoversion 0.0.0-20260116051925-c62ab83c589e and addresses the absolute path handling. Security practitioners should update to this pseudoversion or later. Further details appear in the GitHub security advisory GHSA-2657-3c98-63jq and the Go vulnerability database at pkg.go.dev/vuln/GO-2025-4138.

Details

CWE(s)
CWE-22

Affected Products

esm
esm.sh
≤ 136

CVEs Like This One

CVE-2026-27730Same product: Esm Esm.Sh
CVE-2025-50180Same product: Esm Esm.Sh
CVE-2025-59384Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-7213Shared CWE-22
CVE-2026-24479Shared CWE-22
CVE-2025-66744Shared CWE-22
CVE-2026-6057Shared CWE-22
CVE-2026-5436Shared CWE-22
CVE-2026-2448Shared CWE-22

References