Home / Vulnerability Intelligence / CVE-2026-27730

CVE-2026-27730 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: February 27, 2026

esm.sh - Server Side Request Forgery

Published: February 25, 2026Updated: February 27, 2026Remote Exploitable

Overview

esm.sh <= 137 contains a server side request forgery caused by hostname string validation bypass in /http(s) fetch route, letting external attackers make the server fetch internal localhost services, exploit requires network access.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 3.4%(Probability of exploitation in next 30 days)

Impact

Attackers can make the server perform unauthorized internal network requests, potentially accessing sensitive internal services.

Mitigation

Update to the latest version once a patch is available.

References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🟠 CVE-2026-27730 - High (8.6) esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the val... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27730/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27730
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 3.4%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

3.4%Probability of exploitation in the next 30 days