Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/67674?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67674?format=api", "vulnerability_id": "VCID-7nx2-8ku1-w3cm", "summary": "esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.", "aliases": [ { "alias": "CVE-2026-44594" }, { "alias": "GHSA-rg65-45m7-hq57" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374455?format=api", "purl": "pkg:golang/github.com/esm-dev/esm.sh@0.0.0-20250616164159-0593516c4cfa", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/github.com/esm-dev/esm.sh@0.0.0-20250616164159-0593516c4cfa" } ], "affected_packages": [], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18127", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44594" }, { "reference_url": "https://github.com/esm-dev/esm.sh", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/esm-dev/esm.sh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44594", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44594" }, { "reference_url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57", "reference_id": "GHSA-rg65-45m7-hq57", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T15:31:13Z/" } ], "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-rg65-45m7-hq57" } ], "weaknesses": [ { "cwe_id": 22, "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "description": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7nx2-8ku1-w3cm" }