CNNVD-202511-2177 Information

CNNVD ID

CNNVD-202511-2177

Related CVE

CVE-2025-65026

• CNNVD Published: 2025-11-19

Description (Chinese)

esm.sh是esm.sh开源的一个内容分发网络。 esm.sh 136之前版本存在代码注入漏洞，该漏洞源于CSS转JavaScript模块功能存在模板字面量注入漏洞，可能导致跨站脚本攻击或远程代码执行。

Description (English)

esm.sh is an open-source content distribution network of esm.sh. The pre-esm.sh 136 version has a code injection loophole, which stems from the fact that the CSS conversion JavaScript module function has a template type penetration gap that may result in a cross-site script attack or remote code execution.

Hazard Level

High

Vulnerability Type

代码注入

Affected Vendor

esm.sh

Published

2025-11-19

Last Modified

2026-02-24

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c https://access.redhat.com/security/cve/cve-2025-65026

Patch

https://github.com/esm-dev/esm.sh/releases