Security: esm-dev/esm.sh
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
SSRF localhost/private-network bypass in `/http(s)` module routeGHSA-p2v6-84h2-5x4r published
Feb 25, 2026 by ijeHigh -
Path traversal in `extractPackageTarball` enables file writes from malicious packagesGHSA-2657-3c98-63jq published
Jan 17, 2026 by ijeHigh -
JS Template Literal Injection in CSS-to-JavaScriptGHSA-hcpf-qv9m-vfgp published
Nov 19, 2025 by ijeModerate -
Arbitrary file write via tarslipGHSA-h3mw-4f23-gwpw published
Nov 19, 2025 by ijeHigh -
Arbitrary file write via path traversal in `X-Zone-Id` headerGHSA-g2h5-cvvr-7gmw published
Sep 17, 2025 by ijeModerate -
Local File Inclusion in esm.shGHSA-49pv-gwxp-532r published
Sep 17, 2025 by ijeHigh -
Full-response SSRF in esm.shGHSA-3c9r-837r-qqm4 published
Feb 25, 2026 by ijeHigh
Learn more about advisories related to esm-dev/esm.sh in the GitHub Advisory Database