github.com/esm-dev/esm.sh

GHSA-2657-3c98-63jq

Gomalware1/20/2026
Description

esm.sh has a path traversal in extractPackageTarball enables file writes from malicious packages

References (7)
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jqgithub_advisoryhttps://nvd.nist.gov/vuln/detail/CVE-2026-23644github_advisoryhttps://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16github_advisoryhttps://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093github_advisoryhttps://github.com/esm-dev/esm.shgithub_advisoryhttps://pkg.go.dev/vuln/GO-2025-4138github_advisoryhttps://pkg.go.dev/vuln/GO-2026-4332github_advisory
Details
EcosystemGo
Attack Typemalware
Published1/20/2026
Affected Versions
0
Related CVEs
CVE-2026-23644
Aliases
CVE-2026-23644
Quick Actions
All IncidentsGo Incidents
Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives
PoC for every finding
30+ tools orchestrated
Book a DemoLearn More
Setup in 5 minutesSOC 2 & ISO 27001