Description

esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136.

INFO

Published Date :

2025-11-19T17:33:11.469Z

Last Modified :

2025-11-20T14:19:17.852Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-65026 vulnerability.

Vendors Products
Esm
  • Esm.sh
Esm-dev
  • Esmsh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-65026.

URL Resource
https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c cve-icon cve-icon
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact