CVE-2026-44593: esm.sh: Legacy Route Path Traversal Can Lead to RCE

May 12, 2026 (updated June 9, 2026)

Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for.
Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges.

References

github.com/advisories/GHSA-3636-h3vx-6465
github.com/esm-dev/esm.sh/releases/tag/v137_3
github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465
nvd.nist.gov/vuln/detail/CVE-2026-44593

Code Behaviors & Features

Detect and mitigate CVE-2026-44593 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →