CVE-2026-44594: esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

May 12, 2026 (updated June 9, 2026)

A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin’s handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.

References

github.com/advisories/GHSA-rg65-45m7-hq57
github.com/esm-dev/esm.sh/releases/tag/v137
github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57
nvd.nist.gov/vuln/detail/CVE-2026-44594

Code Behaviors & Features

Detect and mitigate CVE-2026-44594 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →