esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories.

CVE Database V5

Detailed information about CVE-2025-59342: CWE-24: Path Traversal: '../filedir' in esm-dev esm.sh affecting esm-dev esm.sh. Get real-time updates, technical det

CVE-2025-59342: CWE-24: Path Traversal: '../filedir' in esm-dev esm.sh - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-59342: CWE-24: Path Traversal: '../filedir' in esm-dev esm.sh

A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/Avaliacao/diarioApi. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

Detailed information about CVE-2025-10607: Information Disclosure in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details

CVE-2025-10607: Information Disclosure in Portabilis i-Educar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10607: Information Disclosure in Portabilis i-Educar

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).

CVE-2025-59341 is a high-severity vulnerability classified under CWE-23 (Relative Path Traversal) affecting esm.sh, a no-build content delivery network (CDN) service used in modern web development. Versions up to and including 136 of esm.sh are vulnerable. The flaw arises from improper sanitization of user-supplied input in the URL handling logic of the esm.sh service, allowing an attacker to craft malicious requests that exploit relative path traversal sequences (e.g., '../') to access files outside the intended directory scope. This results in a Local File Inclusion (LFI) vulnerability where the server reads and returns arbitrary files from its host filesystem or other unintended file sources. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score of 7.7 reflects the ease of exploitation (network vector, low attack complexity), no privileges or user interaction required, and a high impact on confidentiality due to unauthorized disclosure of sensitive files. However, integrity and availability impacts are not present. No known exploits are currently reported in the wild, but the vulnerability's nature and severity suggest it could be leveraged for information disclosure, reconnaissance, or further attacks such as privilege escalation if sensitive configuration or credential files are exposed. The lack of available patches at the time of reporting increases the urgency for mitigation and monitoring. Given esm.sh's role as a CDN for web development, compromised instances could expose source code, environment variables, or other sensitive data critical to web applications relying on this service.

Detailed information about CVE-2025-59341: CWE-23: Relative Path Traversal in esm-dev esm.sh affecting esm-dev esm.sh. Get real-time updates, technical details,

CVE-2025-59341: CWE-23: Relative Path Traversal in esm-dev esm.sh - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-59341: CWE-23: Relative Path Traversal in esm-dev esm.sh

A vulnerability was determined in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This vulnerability affects unknown code of the file /Profilers/PriProfile/COUNT2.php. This manipulation of the argument cname causes sql injection. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available.

CVE-2025-10597 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting the code within the /Profilers/PriProfile/COUNT2.php file. The vulnerability arises from improper sanitization or validation of the 'cname' parameter, which can be manipulated by an attacker to inject malicious SQL commands. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database without requiring any user interaction or privileges. The product follows a rolling release model, making it difficult to pinpoint exact affected versions beyond the identified commit hash (42cd892b40a18d50bd4ed1905fa89f939173a464). The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially leading to data breaches or unauthorized system manipulation. However, no known exploits are currently reported in the wild, indicating either recent discovery or limited public exploitation. The vulnerability's presence in a course selection system suggests that educational institutions or organizations using this software could be targeted, with risks including exposure of student data, academic records, or administrative information.

Detailed information about CVE-2025-10597: SQL Injection in kidaze CourseSelectionSystem affecting kidaze CourseSelectionSystem. Get real-time updates, technica

CVE-2025-10597: SQL Injection in kidaze CourseSelectionSystem - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10597: SQL Injection in kidaze CourseSelectionSystem

A weakness has been identified in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /module/Configuracao/ConfiguracaoMovimentoGeral. This manipulation of the argument tipoacao causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.

Detailed information about CVE-2025-10606: Cross Site Scripting in Portabilis i-Educar affecting Portabilis i-Educar. Get real-time updates, technical details, 

CVE-2025-10606: Cross Site Scripting in Portabilis i-Educar

CVE-2025-10606: Cross Site Scripting in Portabilis i-Educar

Description

Technical Details

Related Threats

CVE-2025-59342: CWE-24: Path Traversal: '../filedir' in esm-dev esm.sh

CVE-2025-10607: Information Disclosure in Portabilis i-Educar

CVE-2025-59341: CWE-23: Relative Path Traversal in esm-dev esm.sh

CVE-2025-10597: SQL Injection in kidaze CourseSelectionSystem

CVE-2025-58767: CWE-400: Uncontrolled Resource Consumption in ruby rexml

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility