CVE-2026-27730

HIGH8.6EPSS 0.06%

esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh

Published: 2/25/2026Modified: 3/9/2026

Description

esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N