CVE-2026-27730 — HIGH (7.5)

Q: How severe is CVE-2026-27730?

CVE-2026-27730 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-27730?

Check the references section above for vendor advisories and patch information. Affected products include: Esm Esm.Sh.

Vulnerability Description

esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Esm	Esm.Sh	<= 137

Related Weaknesses (CWE)

CWE-918

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4rExploitVendor Advisory

FAQ

What is CVE-2026-27730?

CVE-2026-27730 is a vulnerability with a CVSS score of 7.5 (HIGH). esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to ...

How severe is CVE-2026-27730?

CVE-2026-27730 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27730?

Check the references section above for vendor advisories and patch information. Affected products include: Esm Esm.Sh.