CVE-2026-27730 – esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

CVE ID : CVE-2026-27730

Published : Feb. 25, 2026, 4:23 p.m. | 45 minutes ago

Description : esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2026-27730 – esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

تکمیل ظرفیت سرور لهستان

سرور مناسب برای ترید و ارز دیجیتال

دیتاسنتر جدید در لهستان

سرور های جدید از اسپانیا

AMD EPYC & Ryzen از کشور انگلستان

آفر های جدید AMD EPYC و AMD Ryzen

آفر سرور اختصاصی از آمریکا

افزایش قیمت دامنه های ir از ۳۱ خرداد

افزایش قیمت جهانی دامنه .com

آفر های جدید سرور اختصاصی مرداد 1403

CVE-2026-27700 – Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

سرور های جدید از روسیه-وارز

تخفیف ویژه دامنه .ASIA

ثبت دامنه .IO

انتقال رایگان پسوند دامنه PW

Kerio Control 9.2.4 Build 2223

نوشته های مشابه

CVE-2026-3206 – Improper management of context cancelations

CVE-2026-3188 – feiyuchuixue sz-boot-parent API templates path traversal

CVE-2026-27848 – Missing neutralization in Linksys MR9600, Linksys MX4200

CVE-2026-27847 – Missing authentication in Linksys MR9600, Linksys MX4200