Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
35 vulnerabilities
CVE-2026-39805 (GCVE-0-2026-39805)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI?
Title
CL.CL HTTP request smuggling via duplicate Content-Length in bandit
Summary
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.
'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.
When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.
This issue affects bandit: before 1.11.0.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39805",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:20:49.825555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:21:12.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Headers\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/headers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Headers\u0027:get_content_length/1"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Headers\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/headers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Headers\u0027:get_content_length/1"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "f2ca636eb6df385219957e8934e9fc6efa1630d1",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate \u003ctt\u003eContent-Length\u003c/tt\u003e headers.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.Headers\u0027:get_content_length/1\u003c/tt\u003e in \u003ctt\u003elib/bandit/headers.ex\u003c/tt\u003e uses \u003ctt\u003eList.keyfind/3\u003c/tt\u003e, which returns only the first matching header. When a request contains two \u003ctt\u003eContent-Length\u003c/tt\u003e headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 \u00a76.3 requires recipients to treat this as an unrecoverable framing error.\u003c/p\u003e\u003cp\u003eWhen Bandit sits behind a proxy that picks the last \u003ctt\u003eContent-Length\u003c/tt\u003e value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: before 1.11.0.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.\n\n\u0027Elixir.Bandit.Headers\u0027:get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 \u00a76.3 requires recipients to treat this as an unrecoverable framing error.\n\nWhen Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\n\nThis issue affects bandit: before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:40.573Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39805.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39805"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CL.CL HTTP request smuggling via duplicate Content-Length in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39805",
"datePublished": "2026-05-01T20:34:29.400Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-04T17:11:40.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39804 (GCVE-0-2026-39804)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI?
Title
WebSocket permessage-deflate inflate has no output-size cap in bandit
Summary
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.
'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.
An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.
This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.
This issue affects bandit: from 0.5.9 before 1.11.0.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39804",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:19:00.687361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:19:55.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/websocket/permessage_deflate.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027:inflate/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0.5.9",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/websocket/permessage_deflate.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027:inflate/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "8156921a51e684a951221da7bc30a70a022f722e",
"status": "affected",
"version": "da4027cff7d2b80319e76fe7a32f84beceec490a",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability is only reachable when both of the following conditions are true:\u003cul\u003e\u003cli\u003eBandit\u0027s server-level \u003ctt\u003ewebsocket_options.compress\u003c/tt\u003e is enabled (it defaults to \u003ctt\u003etrue\u003c/tt\u003e).\u003c/li\u003e\u003cli\u003eThe per-upgrade \u003ctt\u003ecompress: true\u003c/tt\u003e option is passed to \u003ctt\u003eWebSockAdapter.upgrade/4\u003c/tt\u003e (it defaults to \u003ctt\u003efalse\u003c/tt\u003e; Phoenix\u0027s default is also \u003ctt\u003efalse\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003eStock Phoenix and LiveView applications are not affected because \u003ctt\u003ecompress: false\u003c/tt\u003e is their default."
}
],
"value": "The vulnerability is only reachable when both of the following conditions are true:\n- Bandit\u0027s server-level websocket_options.compress is enabled (it defaults to true).\n- The per-upgrade compress: true option is passed to WebSockAdapter.upgrade/4 (it defaults to false; Phoenix\u0027s default is also false).\n\nStock Phoenix and LiveView applications are not affected because compress: false is their default."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"versionStartIncluding": "0.5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027:inflate/2\u003c/tt\u003e in \u003ctt\u003elib/bandit/websocket/permessage_deflate.ex\u003c/tt\u003e calls \u003ctt\u003e:zlib.inflate/2\u003c/tt\u003e with no output-size cap, then materializes the entire decompressed payload as a single binary via \u003ctt\u003eIO.iodata_to_binary/1\u003c/tt\u003e. The \u003ctt\u003ewebsocket_options.max_frame_size\u003c/tt\u003e option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node\u0027s memory and trigger an OOM kill.\u003c/p\u003e\u003cp\u003eThis vulnerability requires both Bandit\u0027s server-level \u003ctt\u003ewebsocket_options.compress\u003c/tt\u003e and the per-upgrade \u003ctt\u003ecompress: true\u003c/tt\u003e option passed to \u003ctt\u003eWebSockAdapter.upgrade/4\u003c/tt\u003e to be enabled. Stock Phoenix and LiveView applications are not affected as they default to \u003ctt\u003ecompress: false\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 0.5.9 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.\n\n\u0027Elixir.Bandit.WebSocket.PerMessageDeflate\u0027:inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.\n\nAn unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node\u0027s memory and trigger an OOM kill.\n\nThis vulnerability requires both Bandit\u0027s server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.\n\nThis issue affects bandit: from 0.5.9 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:39.276Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39804.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39804"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WebSocket permessage-deflate inflate has no output-size cap in bandit",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not pass \u003ctt\u003ecompress: true\u003c/tt\u003e to \u003ctt\u003eWebSockAdapter.upgrade/4\u003c/tt\u003e. Omitting this option (or setting it to \u003ctt\u003efalse\u003c/tt\u003e) prevents permessage-deflate from being negotiated, so the inflate path is never reached."
}
],
"value": "Do not pass compress: true to WebSockAdapter.upgrade/4. Omitting this option (or setting it to false) prevents permessage-deflate from being negotiated, so the inflate path is never reached."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39804",
"datePublished": "2026-05-01T20:34:24.604Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-04T17:11:39.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39807 (GCVE-0-2026-39807)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI?
Title
Client-supplied URI scheme trusted without transport verification in bandit
Summary
Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.
'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated.
Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions.
This issue affects bandit: from 1.0.0 before 1.11.0.
Severity ?
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39807",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:17:52.498343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:18:10.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Pipeline\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/pipeline.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Pipeline\u0027:determine_scheme/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Pipeline\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/pipeline.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Pipeline\u0027:determine_scheme/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "45feea20dea8af7ffd7245271107b695c040e667",
"status": "affected",
"version": "ff2f829326cd5dcf7335939aef9775269d881e28",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable system must be accepting plaintext (non-TLS) HTTP connections, either directly or via h2c. Deployments that exclusively use TLS are not affected.\u003c/p\u003e"
}
],
"value": "The vulnerable system must be accepting plaintext (non-TLS) HTTP connections, either directly or via h2c. Deployments that exclusively use TLS are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.Pipeline\u0027:determine_scheme/2\u003c/tt\u003e in \u003ctt\u003elib/bandit/pipeline.ex\u003c/tt\u003e returns the client-supplied URI scheme verbatim, ignoring the transport\u0027s \u003ctt\u003esecure?\u003c/tt\u003e flag. HTTP/1.1 absolute-form request targets (e.g. \u003ctt\u003eGET https://victim/path HTTP/1.1\u003c/tt\u003e) and the HTTP/2 \u003ctt\u003e:scheme\u003c/tt\u003e pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare \u003ctt\u003ehttps\u003c/tt\u003e and Bandit will set \u003ctt\u003econn.scheme = :https\u003c/tt\u003e even though no TLS was negotiated.\u003c/p\u003e\u003cp\u003eDownstream Plug consumers that branch on \u003ctt\u003econn.scheme\u003c/tt\u003e are silently misled: \u003ctt\u003ePlug.SSL\u003c/tt\u003e\u0027s already-secure branch skips its HTTP\u2192HTTPS redirect, cookies emitted with \u003ctt\u003esecure: true\u003c/tt\u003e are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 1.0.0 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.\n\n\u0027Elixir.Bandit.Pipeline\u0027:determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport\u0027s secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated.\n\nDownstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL\u0027s already-secure branch skips its HTTP\u2192HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions.\n\nThis issue affects bandit: from 1.0.0 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-220",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-220 Client-Server Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:38.567Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39807.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39807"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Client-supplied URI scheme trusted without transport verification in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39807",
"datePublished": "2026-05-01T20:34:22.832Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-04T17:11:38.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42786 (GCVE-0-2026-42786)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI?
Title
WebSocket fragmented message reassembly unbounded in bandit
Summary
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.
The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.
Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.
This issue affects bandit: from 0.5.0 before 1.11.0.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42786",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:15:58.376139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:16:39.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.WebSocket.Connection\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/websocket/connection.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.WebSocket.Connection\u0027:handle_frame/3"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.WebSocket.Connection\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/websocket/connection.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.WebSocket.Connection\u0027:handle_frame/3"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "21612c7c7b1ce43eccd36d3af3a2299d23513667",
"status": "affected",
"version": "8909391f486d42138c5308410bc5ea49a65f4d46",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.\u003c/p\u003e"
}
],
"value": "The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"versionStartIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\u003cp\u003eThe fragment reassembly path in \u003ctt\u003e\u0027Elixir.Bandit.WebSocket.Connection\u0027:handle_frame/3\u003c/tt\u003e in \u003ctt\u003elib/bandit/websocket/connection.ex\u003c/tt\u003e appends every incoming \u003ctt\u003eContinuation{fin: false}\u003c/tt\u003e frame\u0027s payload to a per-connection iolist with no cumulative size cap. The existing \u003ctt\u003emax_frame_size\u003c/tt\u003e option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting \u003ctt\u003efin=1\u003c/tt\u003e grows BEAM heap linearly until the OS or a supervisor kills the process.\u003c/p\u003e\u003cp\u003eBecause the accumulation happens before \u003ctt\u003eWebSock.handle_in/2\u003c/tt\u003e is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over \u003ctt\u003eWebSock\u003c/tt\u003e on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 0.5.0 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in \u0027Elixir.Bandit.WebSocket.Connection\u0027:handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame\u0027s payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:36.814Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42786.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42786"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WebSocket fragmented message reassembly unbounded in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42786",
"datePublished": "2026-05-01T20:34:17.014Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-04T17:11:36.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42788 (GCVE-0-2026-42788)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI?
Title
HTTP/2 frame size limit checked after body is buffered in bandit
Summary
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames.
'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after pattern-matching payload::binary-size(length), which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the max_frame_size negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113).
An unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service.
This issue affects bandit: from 0.3.6 before 1.11.0.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42788",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:14:16.975049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:14:50.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP2.Frame\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http2/frame.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP2.Frame\u0027:deserialize/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0.3.6",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP2.Frame\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http2/frame.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP2.Frame\u0027:deserialize/2"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1e8e55966da9129016b73d32f0e1df4630e3b463",
"status": "affected",
"version": "f00dd69a5b2a4863be585907acd853c4ffd41399",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"versionStartIncluding": "0.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.HTTP2.Frame\u0027:deserialize/2\u003c/tt\u003e in \u003ctt\u003elib/bandit/http2/frame.ex\u003c/tt\u003e checks the \u003ctt\u003eSETTINGS_MAX_FRAME_SIZE\u003c/tt\u003e limit only after pattern-matching \u003ctt\u003epayload::binary-size(length)\u003c/tt\u003e, which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the \u003ctt\u003emax_frame_size\u003c/tt\u003e negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113).\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 0.3.6 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames.\n\n\u0027Elixir.Bandit.HTTP2.Frame\u0027:deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after pattern-matching payload::binary-size(length), which requires the entire frame body to be present in memory before either the accept or reject clause can fire. A peer that announces a frame length up to the 24-bit maximum (~16 MiB) causes the server to buffer that entire body before the size guard is evaluated, regardless of the max_frame_size negotiated during the HTTP/2 handshake (default 16 KiB per RFC 9113).\n\nAn unauthenticated attacker holding many concurrent connections can force the server to buffer far more memory than the negotiated frame size limit should permit, leading to memory pressure and potential denial of service.\n\nThis issue affects bandit: from 0.3.6 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:35.207Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-q6v9-r226-v65f"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42788.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42788"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/1e8e55966da9129016b73d32f0e1df4630e3b463"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP/2 frame size limit checked after body is buffered in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42788",
"datePublished": "2026-05-01T20:34:11.911Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-04T17:11:35.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32148 (GCVE-0-2026-32148)
Vulnerability from cvelistv5 – Published: 2026-04-30 18:17 – Updated: 2026-05-01 04:33
VLAI?
Title
Lockfile checksums not verified in Hex allows dependency integrity bypass
Summary
Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.
Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.
An attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.
This issue affects hex: from 0.16.0 before 2.4.2.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T19:03:06.385106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T19:03:24.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Hex.RemoteConverger\u0027"
],
"packageName": "hex",
"packageURL": "pkg:otp/hex?repository_url=https:%2F%2Fgithub.com%2Fhexpm%2Fhex\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Fhexpm%2Fhex.git",
"product": "hex",
"programFiles": [
"lib/hex/remote_converger.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Hex.RemoteConverger\u0027:verify_resolved/2"
}
],
"repo": "https://github.com/hexpm/hex",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Hex.RemoteConverger\u0027"
],
"packageName": "hexpm/hex",
"packageURL": "pkg:github/hexpm/hex",
"product": "hex",
"programFiles": [
"lib/hex/remote_converger.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Hex.RemoteConverger\u0027:verify_resolved/2"
}
],
"repo": "https://github.com/hexpm/hex.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "d7528c8199a1144511508bf3a6460026a5a14c8e",
"status": "affected",
"version": "e01576f28c64af9fae6eb17e2dad30f6efcb303c",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.2",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Paul Fleischer"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Verification of Data Authenticity vulnerability in hexpm hex (\u003ctt\u003eHex.RemoteConverger\u003c/tt\u003e module) allows dependency integrity bypass via unverified lockfile checksums.\u003cp\u003eHex stores checksums for dependencies in the \u003ctt\u003emix.lock\u003c/tt\u003e file to ensure reproducible and integrity-checked builds. However, \u003ctt\u003eHex.RemoteConverger.verify_resolved/2\u003c/tt\u003e never executes checksum verification because the lock data returned by \u003ctt\u003eHex.Utils.lock/1\u003c/tt\u003e uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.\u003c/p\u003e\u003cp\u003eAn attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The \u003ctt\u003emix.lock\u003c/tt\u003e file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.\u003c/p\u003e\u003cp\u003eThis issue affects hex: from 0.16.0 before 2.4.2.\u003c/p\u003e"
}
],
"value": "Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums.\n\nHex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However, Hex.RemoteConverger.verify_resolved/2 never executes checksum verification because the lock data returned by Hex.Utils.lock/1 uses string-based dependency names, while the verification logic compares against atom-based names. This type mismatch causes the verification code path to be silently skipped. Checksums are still validated when packages are initially downloaded from the registry, but mismatches between the lockfile and resolved dependencies are not detected.\n\nAn attacker who can influence cached packages (e.g., via local cache poisoning or a compromised registry) can provide modified dependency contents that will be accepted without detection. The mix.lock file is silently rewritten with the checksum values from the registry, erasing evidence of tampering.\n\nThis issue affects hex: from 0.16.0 before 2.4.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354 Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T04:33:38.198Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hex/security/advisories/GHSA-hmv9-4mfr-m92v"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32148.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32148"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hex/commit/d7528c8199a1144511508bf3a6460026a5a14c8e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lockfile checksums not verified in Hex allows dependency integrity bypass",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32148",
"datePublished": "2026-04-30T18:17:03.783Z",
"dateReserved": "2026-03-10T22:37:29.213Z",
"dateUpdated": "2026-05-01T04:33:38.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32688 (GCVE-0-2026-32688)
Vulnerability from cvelistv5 – Published: 2026-04-27 13:45 – Updated: 2026-04-29 17:08
VLAI?
Title
Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.
Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.
This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.
This issue affects plug_cowboy: from 2.0.0 before 2.8.1.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| elixir-plug | plug_cowboy |
Affected:
2.0.0 , < 2.8.1
(semver)
cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T19:04:33.154446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T20:11:22.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Cowboy.Conn\u0027"
],
"packageName": "plug_cowboy",
"packageURL": "pkg:hex/plug_cowboy",
"product": "plug_cowboy",
"programFiles": [
"lib/plug/cowboy/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Cowboy.Conn\u0027:conn/1"
}
],
"repo": "https://github.com/elixir-plug/plug_cowboy",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "2.8.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Cowboy.Conn\u0027"
],
"packageName": "elixir-plug/plug_cowboy",
"packageURL": "pkg:github/elixir-plug/plug_cowboy",
"product": "plug_cowboy",
"programFiles": [
"lib/plug/cowboy/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Cowboy.Conn\u0027:conn/1"
}
],
"repo": "https://github.com/elixir-plug/plug_cowboy",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "bfb34cb45eb354e56437f7023fb306de1bf9c19b",
"status": "affected",
"version": "12ecfd024bb179d48b018fecf074e43fe6a19c83",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.8.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.\u003cp\u003e\u003ctt\u003ePlug.Cowboy.Conn.conn/1\u003c/tt\u003e in \u003ctt\u003elib/plug/cowboy/conn.ex\u003c/tt\u003e calls \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on the value returned by \u003ctt\u003e:cowboy_req.scheme/1\u003c/tt\u003e. For HTTP/2 connections, cowlib passes the client-supplied \u003ctt\u003e:scheme\u003c/tt\u003e pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique \u003ctt\u003e:scheme\u003c/tt\u003e values, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eThis vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.\u003c/p\u003e\u003cp\u003eThis issue affects plug_cowboy: from 2.0.0 before 2.8.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.\n\nPlug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nThis vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.\n\nThis issue affects plug_cowboy: from 2.0.0 before 2.8.1."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T17:08:07.227Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32688.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32688"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable HTTP/2 on the \u003ctt\u003ePlug.Cowboy.https/3\u003c/tt\u003e listener by passing \u003ctt\u003eprotocol_options: %{protocols: [:http]}\u003c/tt\u003e in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled."
}
],
"value": "Disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32688",
"datePublished": "2026-04-27T13:45:35.160Z",
"dateReserved": "2026-03-13T09:12:14.475Z",
"dateUpdated": "2026-04-29T17:08:07.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32147 (GCVE-0-2026-32147)
Vulnerability from cvelistv5 – Published: 2026-04-21 12:01 – Updated: 2026-04-22 04:13
VLAI?
Title
SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.
The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.
Any authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.
If the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T13:11:06.946869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T13:11:40.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:do_open/4"
},
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.3",
"status": "unaffected"
},
{
"at": "5.2.11.7",
"status": "unaffected"
},
{
"at": "5.1.4.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.01",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:do_open/4"
},
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.3",
"status": "unaffected"
},
{
"at": "27.3.4.11",
"status": "unaffected"
},
{
"at": "26.2.5.20",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "28c5d5a6c5f873dc701b597276271763e7d1c004",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default."
}
],
"value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1. The root option is not set by default."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Downey"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\u003cp\u003eThe SFTP daemon (\u003ctt\u003essh_sftpd\u003c/tt\u003e) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When \u003ctt\u003eSSH_FXP_FSETSTAT\u003c/tt\u003e is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\u003c/p\u003e\u003cp\u003eAny authenticated SFTP user on a server configured with the \u003ctt\u003eroot\u003c/tt\u003e option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\u003c/p\u003e\u003cp\u003eIf the SSH daemon runs as \u003ctt\u003eroot\u003c/tt\u003e, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:do_open/4\u003c/tt\u003e and \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside the configured chroot directory.\n\nThe SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT is issued on such a handle, file attributes (permissions, ownership, timestamps) are modified on the real filesystem path, bypassing the root directory boundary entirely.\n\nAny authenticated SFTP user on a server configured with the root option can modify file attributes of files outside the intended chroot boundary. The prerequisite is that a target file must exist on the real filesystem at the same relative path. Note that this vulnerability only allows modification of file attributes; file contents cannot be read or altered through this attack vector.\n\nIf the SSH daemon runs as root, this enables direct privilege escalation: an attacker can set the setuid bit on any binary, change ownership of sensitive files, or make system configuration world-writable.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 and ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and 26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and 5.1.4.15."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T04:13:25.005Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32147.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32147"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eDo not use the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and instead rely on OS-level chroot or container isolation to confine SFTP users.\u003c/li\u003e\u003cli\u003eEnsure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Do not use the root option in ssh_sftpd:subsystem_spec/1, and instead rely on OS-level chroot or container isolation to confine SFTP users.\n* Ensure the Erlang VM is not running as a privileged OS user. Running the VM as an unprivileged user limits the impact of this vulnerability, since attribute modifications are constrained by that user\u0027s OS-level permissions."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32147",
"datePublished": "2026-04-21T12:01:20.350Z",
"dateReserved": "2026-03-10T22:37:29.213Z",
"dateUpdated": "2026-04-22T04:13:25.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32146 (GCVE-0-2026-32146)
Vulnerability from cvelistv5 – Published: 2026-04-11 12:59 – Updated: 2026-05-04 18:49
VLAI?
Title
Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
Summary
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download.
Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.
This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.
This issue affects Gleam from 1.9.0-rc1 until 1.15.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gleam | Gleam |
Affected:
1.9.0-rc1 , < *
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32146",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:44:39.043742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:44:51.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"vendor": "Gleam",
"versions": [
{
"changes": [
{
"at": "1.15.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.9.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"changes": [
{
"at": "1.15.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.9.0-rc1",
"versionType": "semver"
},
{
"changes": [
{
"at": "92aae3913570e8d8962f6399404777d313045bfa",
"status": "unaffected"
},
{
"at": "2dc0467f822c75de94697a912755d172928ee40a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "a4fde22445ab8e5cc79c2ff48971616cb570702c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.15.4-elixir",
"status": "affected",
"version": "v1.9.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang",
"status": "affected",
"version": "v1.9.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node",
"status": "affected",
"version": "v1.9.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node-slim",
"status": "affected",
"version": "v1.9.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-elixir-slim",
"status": "affected",
"version": "v1.9.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang-slim",
"status": "affected",
"version": "v1.9.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang-alpine",
"status": "affected",
"version": "v1.9.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-elixir-alpine",
"status": "affected",
"version": "v1.9.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node-alpine",
"status": "affected",
"version": "v1.9.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-scratch",
"status": "affected",
"version": "v1.9.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe project must use git-based dependencies (direct or transitive), or the victim must run \u003ctt\u003egleam deps download\u003c/tt\u003e on a repository with a malicious \u003ctt\u003emanifest.toml\u003c/tt\u003e lockfile. Projects that exclusively use Hex dependencies and do not clone untrusted repositories are not affected.\u003c/p\u003e\u003cp\u003eProjects that exclusively use trusted or personally controlled git dependencies, or dependencies pinned to verified commit SHAs, are not exposed.\u003c/p\u003e"
}
],
"value": "The project must use git-based dependencies (direct or transitive), or the victim must run gleam deps download on a repository with a malicious manifest.toml lockfile. Projects that exclusively use Hex dependencies and do not clone untrusted repositories are not affected.\n\nProjects that exclusively use trusted or personally controlled git dependencies, or dependencies pinned to verified commit SHAs, are not exposed."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.4",
"versionStartIncluding": "1.9.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "John Downey"
},
{
"lang": "en",
"type": "analyst",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper path validation vulnerability in the Gleam compiler\u0027s handling of git dependencies allows arbitrary file system modification during dependency download.\u003cp\u003eDependency names from \u003ctt\u003egleam.toml\u003c/tt\u003e and \u003ctt\u003emanifest.toml\u003c/tt\u003e are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as \u003ctt\u003e../\u003c/tt\u003e or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via \u003ctt\u003egleam deps download\u003c/tt\u003e), the computed path is used for filesystem operations including directory deletion and creation.\u003c/p\u003e\u003cp\u003eThis vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 1.9.0-rc1 until 1.15.4.\u003c/p\u003e"
}
],
"value": "Improper path validation vulnerability in the Gleam compiler\u0027s handling of git dependencies allows arbitrary file system modification during dependency download.\n\nDependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.\n\nThis vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.\n\nThis issue affects Gleam from 1.9.0-rc1 until 1.15.4."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:49:10.986Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32146.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32146"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/2dc0467f822c75de94697a912755d172928ee40a"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to Gleam 1.15.4 or later.\u003c/p\u003e\u003cp\u003eBoth patches must be applied: the original incomplete fix (\u003ctt\u003e1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf\u003c/tt\u003e, backported as \u003ctt\u003e55bb36e6d7febfbbc48c4d001e0ae13eb0312d78\u003c/tt\u003e to 1.15) and the follow-up fix (\u003ctt\u003e2dc0467f822c75de94697a912755d172928ee40a\u003c/tt\u003e, backported as \u003ctt\u003e92aae3913570e8d8962f6399404777d313045bfa\u003c/tt\u003e to 1.15). Gleam 1.15.4 includes both.\u003c/p\u003e"
}
],
"value": "Upgrade to Gleam 1.15.4 or later.\n\nBoth patches must be applied: the original incomplete fix (1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf, backported as 55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 to 1.15) and the follow-up fix (2dc0467f822c75de94697a912755d172928ee40a, backported as 92aae3913570e8d8962f6399404777d313045bfa to 1.15). Gleam 1.15.4 includes both."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid using untrusted git dependencies, especially without pinning to a specific commit SHA\u003c/li\u003e\u003cli\u003eReview dependency trees carefully, including transitive git dependencies\u003c/li\u003e\u003cli\u003eRun dependency resolution commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid using untrusted git dependencies, especially without pinning to a specific commit SHA\n* Review dependency trees carefully, including transitive git dependencies\n* Run dependency resolution commands in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32146",
"datePublished": "2026-04-11T12:59:22.911Z",
"dateReserved": "2026-03-10T22:37:29.213Z",
"dateUpdated": "2026-05-04T18:49:10.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28808 (GCVE-0-2026-28808)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:28 – Updated: 2026-04-07 14:38
VLAI?
Title
ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
Summary
Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.
When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.
This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:14:10.515632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:14:16.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"inets"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_server/mod_alias.erl",
"src/http_server/mod_auth.erl",
"src/http_server/mod_cgi.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.6.2",
"status": "unaffected"
},
{
"at": "9.3.2.4",
"status": "unaffected"
},
{
"at": "9.1.0.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"inets"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_server/mod_alias.erl",
"lib/inets/src/http_server/mod_auth.erl",
"lib/inets/src/http_server/mod_cgi.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
},
{
"at": "26.2.5.19",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "8fc71ac6af4fbcc54103bec2983ef22e82942688",
"status": "unaffected"
},
{
"at": "9dfa0c51eac97866078e808dec2183cb7871ff7c",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The inets httpd server must use \u003ctt\u003escript_alias\u003c/tt\u003e to map a URL prefix to a CGI directory, combined with \u003ctt\u003edirectory\u003c/tt\u003e-based access controls (e.g., \u003ctt\u003emod_auth\u003c/tt\u003e) protecting the \u003ctt\u003escript_alias\u003c/tt\u003e target path. The vulnerability applies whenever the \u003ctt\u003escript_alias\u003c/tt\u003e target path differs from \u003ctt\u003eDocumentRoot\u003c/tt\u003e + URL prefix."
}
],
"value": "The inets httpd server must use script_alias to map a URL prefix to a CGI directory, combined with directory-based access controls (e.g., mod_auth) protecting the script_alias target path. The vulnerability applies whenever the script_alias target path differs from DocumentRoot + URL prefix."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.19",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by \u003ctt\u003edirectory\u003c/tt\u003e rules when served via \u003ctt\u003escript_alias\u003c/tt\u003e.\u003cp\u003eWhen \u003ctt\u003escript_alias\u003c/tt\u003e maps a URL prefix to a directory outside \u003ctt\u003eDocumentRoot\u003c/tt\u003e, \u003ctt\u003emod_auth\u003c/tt\u003e evaluates \u003ctt\u003edirectory\u003c/tt\u003e-based access controls against the \u003ctt\u003eDocumentRoot\u003c/tt\u003e-relative path while \u003ctt\u003emod_cgi\u003c/tt\u003e executes the script at the \u003ctt\u003eScriptAlias\u003c/tt\u003e-resolved path. This path mismatch allows unauthenticated access to CGI scripts that \u003ctt\u003edirectory\u003c/tt\u003e rules were meant to protect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/mod_alias.erl\u003c/tt\u003e, \u003ctt\u003elib/inets/src/http_server/mod_auth.erl\u003c/tt\u003e, and \u003ctt\u003elib/inets/src/http_server/mod_cgi.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias.\n\nWhen script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:09.190Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28808.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28808"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eMove CGI scripts inside \u003ctt\u003eDocumentRoot\u003c/tt\u003e and use \u003ctt\u003ealias\u003c/tt\u003e instead of \u003ctt\u003escript_alias\u003c/tt\u003e to ensure \u003ctt\u003emod_auth\u003c/tt\u003e resolves the correct path.\u003c/li\u003e\u003cli\u003eApply URL-based access controls at a reverse proxy layer to block unauthenticated access to the \u003ctt\u003escript_alias\u003c/tt\u003e URL prefix.\u003c/li\u003e\u003cli\u003eRemove \u003ctt\u003emod_cgi\u003c/tt\u003e from the httpd modules chain if CGI functionality is not required.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Move CGI scripts inside DocumentRoot and use alias instead of script_alias to ensure mod_auth resolves the correct path.\n* Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the script_alias URL prefix.\n* Remove mod_cgi from the httpd modules chain if CGI functionality is not required."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28808",
"datePublished": "2026-04-07T12:28:16.056Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-07T14:38:09.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32144 (GCVE-0-2026-32144)
Vulnerability from cvelistv5 – Published: 2026-04-07 12:28 – Updated: 2026-04-07 14:38
VLAI?
Title
OCSP designated-responder authorization bypass via missing signature verification
Summary
Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.
The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.
This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.
This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.
This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:15:14.355759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:15:20.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "public_key",
"packageURL": "pkg:otp/public_key?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.20.3",
"status": "unaffected"
},
{
"at": "1.17.1.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.16",
"versionType": "otp"
}
]
},
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssl_stapling"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssl_stapling.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.5.4",
"status": "unaffected"
},
{
"at": "11.2.12.7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "11.2",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"pubkey_ocsp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/public_key/src/pubkey_ocsp.erl"
],
"programRoutines": [
{
"name": "pubkey_ocsp:is_authorized_responder/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "27.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "ac7ff528be857c5d35eb29c7f24106e3a16d4891",
"status": "unaffected"
},
{
"at": "49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "601a012837ea0a5c8095bf24223132824177124d",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., \u003ctt\u003e{stapling, staple}\u003c/tt\u003e), or the application must call \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly. OCSP stapling is disabled by default (\u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)."
}
],
"value": "SSL/TLS must be configured with OCSP stapling enabled (e.g., {stapling, staple}), or the application must call public_key:pkix_ocsp_validate/5 directly. OCSP stapling is disabled by default ({stapling, no_staple})."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\u003cp\u003eThe OCSP response validation in \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\u003c/p\u003e\u003cp\u003eThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e API directly are also affected, with impact depending on usage context.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/public_key/src/pubkey_ocsp.erl\u003c/tt\u003e and program routines \u003ctt\u003epubkey_ocsp:is_authorized_responder/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7.\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification.\n\nThe OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate\u0027s issuer name matches the CA\u0027s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid.\n\nThis affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context.\n\nThis vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3.\n\nThis issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7."
}
],
"impacts": [
{
"capecId": "CAPEC-459",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-459 Creating a Rogue Certification Authority Certificate"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:03.763Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32144.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32144"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OCSP designated-responder authorization bypass via missing signature verification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eFor SSL users:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDo not enable OCSP validation setting (current default is \u003ctt\u003e{stapling, no_staple}\u003c/tt\u003e)\u003c/li\u003e\u003cli\u003eUse CRL-based revocation checking by setting the \u003ctt\u003e{crl_check, true}\u003c/tt\u003e SSL option instead\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cb\u003eFor applications using \u003ctt\u003epublic_key:pkix_ocsp_validate/5\u003c/tt\u003e directly:\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003ePass \u003ctt\u003e{is_trusted_responder_fun, Fun}\u003c/tt\u003e option with a function that validates trusted responder certificates\u003c/li\u003e\u003cli\u003eRestrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "For SSL users:\n\n* Do not enable OCSP validation setting (current default is {stapling, no_staple})\n* Use CRL-based revocation checking by setting the {crl_check, true} SSL option instead\n\nFor applications using public_key:pkix_ocsp_validate/5 directly:\n\n* Pass {is_trusted_responder_fun, Fun} option with a function that validates trusted responder certificates\n* Restrict OCSP responder access to trusted endpoints via network controls (only applicable if you control the OCSP infrastructure)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32144",
"datePublished": "2026-04-07T12:28:00.767Z",
"dateReserved": "2026-03-10T22:37:29.212Z",
"dateUpdated": "2026-04-07T14:38:03.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28810 (GCVE-0-2026-28810)
Vulnerability from cvelistv5 – Published: 2026-04-07 07:50 – Updated: 2026-04-08 04:08
VLAI?
Title
Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
Summary
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.
The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.
inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.
This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.
This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.
Severity ?
CWE
- CWE-340 - Generation of Predictable Numbers or Identifiers
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T16:27:52.481723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T16:28:02.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_res",
"inet_db"
],
"packageName": "kernel",
"packageURL": "pkg:otp/kernel?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/inet_db.erl",
"src/inet_res.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "10.6.2",
"status": "unaffected"
},
{
"at": "10.2.7.4",
"status": "unaffected"
},
{
"at": "9.2.4.11",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"inet_res",
"inet_db"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/kernel/src/inet_db.erl",
"lib/kernel/src/inet_res.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.2",
"status": "unaffected"
},
{
"at": "27.3.4.10",
"status": "unaffected"
},
{
"at": "26.2.5.19",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "36f23c9d2cc54afe83671dd7343596d7972839a5",
"status": "unaffected"
},
{
"at": "dd15e8eb03548c5e55e9915f0e91389ec6bad9fd",
"status": "unaffected"
},
{
"at": "b057a9d995017b1be50d6dc02edd52382f3231b8",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use \u003ctt\u003einet_res\u003c/tt\u003e for DNS resolution, either by configuring the lookup method to include \u003ctt\u003edns\u003c/tt\u003e in the kernel inet configuration, or by calling \u003ctt\u003einet_res\u003c/tt\u003e functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
}
],
"value": "The application must use inet_res for DNS resolution, either by configuring the lookup method to include dns in the kernel inet configuration, or by calling inet_res functions directly. The default Erlang/OTP configuration uses native OS resolution and is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.19",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.10",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\u003cp\u003eThe built-in DNS resolver (\u003ctt\u003einet_res\u003c/tt\u003e) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\u003c/p\u003e\u003cp\u003e\u003ctt\u003einet_res\u003c/tt\u003e is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/kernel/src/inet_db.erl\u003c/tt\u003e and \u003ctt\u003elib/kernel/src/inet_res.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11.\u003c/p\u003e"
}
],
"value": "Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.\n\nThe built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers.\n\ninet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible.\n\nThis vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T04:08:49.797Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28810.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28810"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the \u003ctt\u003einet_res\u003c/tt\u003e resolver to only talk to trusted recursive name servers within that network."
}
],
"value": "Install the Erlang nodes in a trusted network shielded from DNS reply spoofing by firewalls, and configure the inet_res resolver to only talk to trusted recursive name servers within that network."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28810",
"datePublished": "2026-04-07T07:50:11.072Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-08T04:08:49.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32145 (GCVE-0-2026-32145)
Vulnerability from cvelistv5 – Published: 2026-04-02 10:30 – Updated: 2026-04-07 04:07
VLAI?
Title
Multipart form body parser bypasses body size limits in wisp
Summary
Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.
The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.
An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.
This issue affects wisp: from 0.2.0 before 2.2.2.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| gleam-wisp | wisp |
Affected:
0.2.0 , < 2.2.2
(semver)
cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T13:29:06.824466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T19:47:22.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"wisp"
],
"packageName": "wisp",
"packageURL": "pkg:hex/wisp",
"product": "wisp",
"programFiles": [
"src/wisp.gleam"
],
"programRoutines": [
{
"name": "wisp:multipart_body/7"
},
{
"name": "wisp:multipart_headers/5"
}
],
"repo": "https://github.com/gleam-wisp/wisp",
"vendor": "gleam-wisp",
"versions": [
{
"lessThan": "2.2.2",
"status": "affected",
"version": "0.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"wisp"
],
"packageName": "gleam-wisp/wisp",
"packageURL": "pkg:github/gleam-wisp/wisp",
"product": "wisp",
"programFiles": [
"src/wisp.gleam"
],
"programRoutines": [
{
"name": "wisp:multipart_body/7"
},
{
"name": "wisp:multipart_headers/5"
}
],
"repo": "https://github.com/gleam-wisp/wisp.git",
"vendor": "gleam-wisp",
"versions": [
{
"lessThan": "7a978748e12ab29db232c222254465890e1a4a90",
"status": "affected",
"version": "d8e722e22ccb42bda9d0b6248658d37ab4e9b376",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.2",
"versionStartIncluding": "0.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Downey"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.\u003cp\u003eThe \u003ctt\u003emultipart_body\u003c/tt\u003e function bypasses configured \u003ctt\u003emax_body_size\u003c/tt\u003e and \u003ctt\u003emax_files_size\u003c/tt\u003e limits. When a multipart boundary is not present in a chunk, the parser takes the \u003ctt\u003eMoreRequiredForBody\u003c/tt\u003e path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via \u003ctt\u003edecrement_quota\u003c/tt\u003e. The same pattern exists in \u003ctt\u003emultipart_headers\u003c/tt\u003e, where \u003ctt\u003eMoreRequiredForHeaders\u003c/tt\u003e recurses without calling \u003ctt\u003edecrement_body_quota\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.\u003c/p\u003e\u003cp\u003eThis issue affects wisp: from 0.2.0 before 2.2.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.\n\nThe multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.\n\nAn unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.\n\nThis issue affects wisp: from 0.2.0 before 2.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T04:07:10.339Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-8645-p2v4-73r2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32145.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32145"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multipart form body parser bypasses body size limits in wisp",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deploy a reverse proxy (such as nginx or HAProxy) in front of the wisp application and configure it to enforce request body size limits."
}
],
"value": "Deploy a reverse proxy (such as nginx or HAProxy) in front of the wisp application and configure it to enforce request body size limits."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32145",
"datePublished": "2026-04-02T10:30:47.485Z",
"dateReserved": "2026-03-10T22:37:29.212Z",
"dateUpdated": "2026-04-07T04:07:10.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28809 (GCVE-0-2026-28809)
Vulnerability from cvelistv5 – Published: 2026-03-23 10:09 – Updated: 2026-04-07 14:38
VLAI?
Title
XXE in esaml SAML library allows local file read and potential SSRF
Summary
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.
esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.
This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
Severity ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| dropbox | esaml |
cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:* cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:* cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:* |
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:07:17.488260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:52:46.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
"cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
"cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "esaml",
"packageURL": "pkg:hex/esaml",
"product": "esaml",
"vendor": "dropbox"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "arekinath/esaml",
"packageURL": "pkg:github/arekinath/esaml",
"product": "esaml",
"repo": "https://github.com/arekinath/esaml.git",
"vendor": "arekinath"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "handnot2/esaml",
"packageURL": "pkg:github/handnot2/esaml",
"product": "esaml",
"repo": "https://github.com/handnot2/esaml.git",
"vendor": "handnot2"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "dropbox/esaml",
"packageURL": "pkg:github/dropbox/esaml",
"product": "esaml",
"repo": "https://github.com/dropbox/esaml.git",
"vendor": "dropbox"
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "Jump-App/esaml",
"packageURL": "pkg:github/Jump-App/esaml",
"product": "esaml",
"repo": "https://github.com/Jump-App/esaml.git",
"vendor": "Jump-App",
"versions": [
{
"lessThan": "bab85efde7c136911402a881ca55173759467a26",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"status": "unaffected",
"version": "bab85efde7c136911402a881ca55173759467a26",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability."
}
],
"value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*",
"versionEndExcluding": "bab85efde7c136911402a881ca55173759467a26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bryan Lynch"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\u003cp\u003eesaml parses attacker-controlled SAML messages using \u003ctt\u003exmerl_scan:string/2\u003c/tt\u003e before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\u003c/p\u003e\u003cp\u003eThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.\u003c/p\u003e"
}
],
"value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."
}
],
"impacts": [
{
"capecId": "CAPEC-201",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-201 Serialized Data External Linking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:07.406Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"third-party-advisory",
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28809.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "XXE in esaml SAML library allows local file read and potential SSRF",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
}
],
"value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28809",
"datePublished": "2026-03-23T10:09:29.233Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-07T14:38:07.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23940 (GCVE-0-2026-23940)
Vulnerability from cvelistv5 – Published: 2026-03-13 16:07 – Updated: 2026-04-06 16:44
VLAI?
Title
Denial of Service via Oversized Package Upload
Summary
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.
This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T17:06:18.779960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T17:06:25.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "495f01607d3eae4aed7ad09b2f54f31ec7a7df01",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-03-10",
"status": "affected",
"version": "0",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "495f01607d3eae4aed7ad09b2f54f31ec7a7df01",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joud Zakharia / zentrust partners GmbH"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation.\u003cp\u003ePublishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.\n\nThis issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:14.100Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-jp8w-gxf6-8hcr"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23940.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23940"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/495f01607d3eae4aed7ad09b2f54f31ec7a7df01"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Denial of Service via Oversized Package Upload",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003ePrevent large package uploads by enforcing upload size limits at the reverse proxy or load balancer level.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Prevent large package uploads by enforcing upload size limits at the reverse proxy or load balancer level."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23940",
"datePublished": "2026-03-13T16:07:53.328Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-06T16:44:14.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23941 (GCVE-0-2026-23941)
Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-04-07 14:38
VLAI?
Title
Request smuggling via first-wins Content-Length parsing in inets httpd
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.
This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.
The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:00:50.466386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:00:56.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpd_request"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_server/httpd_request.erl"
],
"programRoutines": [
{
"name": "httpd_request:parse_headers/7"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.6.1",
"status": "unaffected"
},
{
"at": "9.3.2.3",
"status": "unaffected"
},
{
"at": "9.1.0.5",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpd_request"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_server/httpd_request.erl"
],
"programRoutines": [
{
"name": "httpd_request:parse_headers/7"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "a4b46336fd25aa100ac602eb9a627aaead7eda18",
"status": "unaffected"
},
{
"at": "a761d391d8d08316cbd7d4a86733ba932b73c45b",
"status": "unaffected"
},
{
"at": "e775a332f623851385ab6ddb866d9b150612ddf6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
}
],
"value": "The inets httpd server must be deployed behind a reverse proxy that honors a different Content-Length header than httpd (e.g., last vs. first). HTTP keep-alive must be enabled (the default)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.9",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_server/httpd_request.erl\u003c/tt\u003e and program routines \u003ctt\u003ehttpd_request:parse_headers/7\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027) vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.\n\nThis vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.\n\nThe server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:08.041Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23941.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23941"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/e775a332f623851385ab6ddb866d9b150612ddf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Request smuggling via first-wins Content-Length parsing in inets httpd",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eConfigure frontend proxy to reject requests with duplicate Content-Length headers.\u003c/li\u003e\u003cli\u003eDisable HTTP keep-alive on httpd by adding \u003ctt\u003e{keep_alive, false}\u003c/tt\u003e to httpd configuration. Note: This impacts performance for clients making multiple requests.\u003c/li\u003e\u003cli\u003eDeploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Configure frontend proxy to reject requests with duplicate Content-Length headers.\n* Disable HTTP keep-alive on httpd by adding `{keep_alive, false}` to httpd configuration. Note: This impacts performance for clients making multiple requests.\n* Deploy a Web Application Firewall (WAF) configured to reject requests with multiple Content-Length headers."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23941",
"datePublished": "2026-03-13T09:11:58.175Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:08.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23943 (GCVE-0-2026-23943)
Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-04-07 14:38
VLAI?
Title
Pre-auth SSH DoS via unbounded zlib inflate
Summary
Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.
The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.
Two compression algorithms are affected:
* zlib: Activates immediately after key exchange, enabling unauthenticated attacks
* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks
Each SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.
This vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Severity ?
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:01:40.898658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:01:48.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_transport"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_transport.erl"
],
"programRoutines": [
{
"name": "ssh_transport:decompress/2"
},
{
"name": "ssh_transport:handle_packet_part/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.1",
"status": "unaffected"
},
{
"at": "5.2.11.6",
"status": "unaffected"
},
{
"at": "5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_transport"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_transport.erl"
],
"programRoutines": [
{
"name": "ssh_transport:decompress/2"
},
{
"name": "ssh_transport:handle_packet_part/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "43a87b949bdff12d629a8c34146711d9da93b1b1",
"status": "unaffected"
},
{
"at": "93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3",
"status": "unaffected"
},
{
"at": "0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SSH server or client must advertise \u003ctt\u003ezlib\u003c/tt\u003e or \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e compression. Both are enabled by default. With \u003ctt\u003ezlib\u003c/tt\u003e, the attack is pre-authentication; with \u003ctt\u003ezlib@openssh.com\u003c/tt\u003e, authentication is required first."
}
],
"value": "The SSH server or client must advertise zlib or zlib@openssh.com compression. Both are enabled by default. With zlib, the attack is pre-authentication; with zlib@openssh.com, authentication is required first."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Igor Morgenstern / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\u003cp\u003eThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\u003c/p\u003e\u003cp\u003eTwo compression algorithms are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cb\u003ezlib:\u003c/b\u003e Activates immediately after key exchange, enabling unauthenticated attacks\u003c/li\u003e\u003cli\u003e\u003cb\u003ezlib@openssh.com:\u003c/b\u003e Activates post-authentication, enabling authenticated attacks\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_transport.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_transport:decompress/2\u003c/tt\u003e, \u003ctt\u003essh_transport:handle_packet_part/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion.\n\nThe SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication without any size limit, enabling reliable memory exhaustion DoS.\n\nTwo compression algorithms are affected:\n\n* zlib: Activates immediately after key exchange, enabling unauthenticated attacks\n* zlib@openssh.com: Activates post-authentication, enabling authenticated attacks\n\nEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1 amplification ratio). Multiple packets can rapidly exhaust available memory, causing OOM kills in memory-constrained environments.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_transport.erl and program routines ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-490",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-490 Amplification"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:05.652Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23943.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23943"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Pre-auth SSH DoS via unbounded zlib inflate",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cb\u003eBest workaround - Disable all compression:\u003c/b\u003e\u003c/p\u003e\u003cpre\u003e{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\u003c/pre\u003e\u003cp\u003e\u003cb\u003eAlternative mitigations (less secure):\u003c/b\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\u003cpre\u003e{modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\u003c/pre\u003e\u003c/li\u003e\u003cli\u003eLimit concurrent sessions (reduces attack surface but does not prevent exploitation):\u003cpre\u003e{max_sessions, N} % Cap total concurrent sessions (default is infinity)\u003c/pre\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Best workaround - Disable all compression:\n\n{preferred_algorithms, [{compression, [\u0027none\u0027]}]}\n\nAlternative mitigations (less secure):\n\n* Disable only pre-auth zlib compression (authenticated users can still exploit via zlib@openssh.com):\n {modify_algorithms, [{rm, [{compression, [\u0027zlib\u0027]}]}]}\n* Limit concurrent sessions (reduces attack surface but does not prevent exploitation):\n {max_sessions, N} % Cap total concurrent sessions (default is infinity)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23943",
"datePublished": "2026-03-13T09:11:57.794Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:05.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23942 (GCVE-0-2026-23942)
Vulnerability from cvelistv5 – Published: 2026-03-13 09:11 – Updated: 2026-04-07 14:38
VLAI?
Title
SFTP root escape via component-agnostic prefix check in ssh_sftpd
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.
The SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:02:31.222384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:02:38.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.5.1",
"status": "unaffected"
},
{
"at": "5.2.11.6",
"status": "unaffected"
},
{
"at": "5.1.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:is_within_root/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.4.1",
"status": "unaffected"
},
{
"at": "27.3.4.9",
"status": "unaffected"
},
{
"at": "26.2.5.18",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "27688a824f753d4c16371dc70e88753fb410590b",
"status": "unaffected"
},
{
"at": "9e0ac85d3485e7898e0da88a14be0ee2310a3b28",
"status": "unaffected"
},
{
"at": "5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when \u003ctt\u003essh_sftpd\u003c/tt\u003e is included in the \u003ctt\u003esubsystems\u003c/tt\u003e option with a \u003ctt\u003eroot\u003c/tt\u003e parameter and there exist sibling directories sharing the same name prefix as the root."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server, the SSH port must be reachable by the attacker, and a root directory must be configured. This is the case when ssh_sftpd is included in the subsystems option with a root parameter and there exist sibling directories sharing the same name prefix as the root."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.9",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.4.1",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra / Aisle Research"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Micha\u0142 W\u0105sowski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routines \u003ctt\u003essh_sftpd:is_within_root/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe SFTP server uses string prefix matching via \u003ctt\u003elists:prefix/2\u003c/tt\u003e rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to \u003ctt\u003e/home/user1\u003c/tt\u003e, paths like \u003ctt\u003e/home/user10\u003c/tt\u003e or \u003ctt\u003e/home/user1_backup\u003c/tt\u003e would incorrectly be considered within the root.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.\n\nThe SFTP server uses string prefix matching via lists:prefix/2 rather than proper path component validation when checking if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if root is set to /home/user1, paths like /home/user10 or /home/user1_backup would incorrectly be considered within the root.\n\nThis issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:09.705Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23942.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23942"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SFTP root escape via component-agnostic prefix check in ssh_sftpd",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eUse directory naming conventions that avoid common prefixes (e.g., \u003ctt\u003e/home/users/alice/\u003c/tt\u003e instead of \u003ctt\u003e/home/user1/\u003c/tt\u003e).\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM/SFTP server process in an isolated filesystem environment.\n* Ensure that no sensitive or precious data is readable or writable by the OS user running the Erlang VM.\n* Ensure that the SFTP server port is not reachable from untrusted machines.\n* Use directory naming conventions that avoid common prefixes (e.g., /home/users/alice/ instead of /home/user1/)."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23942",
"datePublished": "2026-03-13T09:11:56.424Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:09.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28807 (GCVE-0-2026-28807)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:34 – Updated: 2026-04-06 16:44
VLAI?
Title
Path Traversal in wisp.serve_static allows arbitrary file read
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.
The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.
An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.
This issue affects wisp: from 2.1.1 before 2.2.1.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| gleam-wisp | wisp |
Affected:
2.1.1 , < 2.2.1
(semver)
cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:20:19.768057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:20:59.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "wisp",
"packageURL": "pkg:hex/wisp",
"product": "wisp",
"repo": "https://github.com/gleam-wisp/wisp",
"vendor": "gleam-wisp",
"versions": [
{
"lessThan": "2.2.1",
"status": "affected",
"version": "2.1.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "gleam-wisp/wisp",
"packageURL": "pkg:github/gleam-wisp/wisp",
"product": "wisp",
"repo": "https://github.com/gleam-wisp/wisp.git",
"vendor": "gleam-wisp",
"versions": [
{
"lessThan": "161118c431047f7ef1ff7cabfcc38981877fdd93",
"status": "affected",
"version": "129dcb1fe10ab1e676145d91477535e1c90ab550",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.2.1",
"versionStartIncluding": "2.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Downey"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\u003cp\u003eThe \u003ctt\u003ewisp.serve_static\u003c/tt\u003e function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence \u003ctt\u003e%2e%2e\u003c/tt\u003e passes through \u003ctt\u003estring.replace\u003c/tt\u003e unchanged, then \u003ctt\u003euri.percent_decode\u003c/tt\u003e converts it to \u003ctt\u003e..\u003c/tt\u003e, which the OS resolves as directory traversal when the file is read.\u003c/p\u003e\u003cp\u003eAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\u003c/p\u003e\u003cp\u003eThis issue affects wisp: from 2.1.1 before 2.2.1.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal.\n\nThe wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.\n\nAn unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.\n\nThis issue affects wisp: from 2.1.1 before 2.2.1."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:07.589Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28807.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28807"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in wisp.serve_static allows arbitrary file read",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28807",
"datePublished": "2026-03-10T21:34:47.859Z",
"dateReserved": "2026-03-03T14:40:00.590Z",
"dateUpdated": "2026-04-06T16:44:07.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28806 (GCVE-0-2026-28806)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:30 – Updated: 2026-04-06 16:44
VLAI?
Title
Improper authorization in device bulk actions and device update API allows cross-organization device control
Summary
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.
Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.
An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.
In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.
This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
Severity ?
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nerves-hub | nerves_hub_web |
Affected:
1.0.0 , < 2.4.0
(semver)
cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:36:05.863739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:36:23.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves_hub",
"packageURL": "pkg:otp/nerves_hub?repository_url=https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web.git",
"product": "nerves_hub_web",
"repo": "https://github.com/nerves-hub/nerves_hub_web",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves-hub/nerves-hub",
"packageURL": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub",
"product": "nerves_hub_web",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves-hub/nerves_hub_web",
"packageURL": "pkg:github/nerves-hub/nerves_hub_web",
"product": "nerves_hub_web",
"repo": "https://github.com/nerves-hub/nerves_hub_web.git",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "1f69c9d595684a4650c3ac702f3dc7c5bcd7526c",
"status": "affected",
"version": "adaeefdb7a835525482588f43332ef988cc448c7",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Josh Kalderimis / NervesHub team \u0026 NervesCloud"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Lars Wikman / NervesHub team \u0026 NervesCloud"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\u003cp\u003eMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\u003c/p\u003e\u003cp\u003eAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\u003c/p\u003e\u003cp\u003eIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\u003c/p\u003e\u003cp\u003eThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:12.196Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-28806.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28806"
},
{
"tags": [
"patch"
],
"url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper authorization in device bulk actions and device update API allows cross-organization device control",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28806",
"datePublished": "2026-03-10T21:30:58.581Z",
"dateReserved": "2026-03-03T14:40:00.589Z",
"dateUpdated": "2026-04-06T16:44:12.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21622 (GCVE-0-2026-21622)
Vulnerability from cvelistv5 – Published: 2026-03-05 21:18 – Updated: 2026-04-21 04:15
VLAI?
Title
Password Reset Tokens Do Not Expire
Summary
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover.
Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.
If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email.
This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3.
This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:35:49.366785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T02:43:06.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm/accounts/password_reset.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "bb0e42091995945deef10556f58d046a52eb7884",
"status": "affected",
"version": "617e44c71f1dd9043870205f371d375c5c4d886d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-03-05",
"status": "affected",
"version": "2025-08-01",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "bb0e42091995945deef10556f58d046a52eb7884",
"versionStartIncluding": "617e44c71f1dd9043870205f371d375c5c4d886d",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.io"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027 module) allows Account Takeover.\u003cp\u003ePassword reset tokens generated via the \"Reset your password\" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.\u003c/p\u003e\u003cp\u003eIf a user\u0027s historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim\u0027s password. The attacker does not need current access to the victim\u0027s email account, only access to a previously leaked copy of the reset email.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm/accounts/password_reset.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.\u003c/p\u003e"
}
],
"value": "Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027 module) allows Account Takeover.\n\nPassword reset tokens generated via the \"Reset your password\" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.\n\nIf a user\u0027s historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim\u0027s password. The attacker does not need current access to the victim\u0027s email account, only access to a previously leaked copy of the reset email.\n\nThis vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines \u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Session Variables, Resource IDs and other Trusted Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T04:15:20.750Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6r94-pvwf-mxqm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21622.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21622"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/bb0e42091995945deef10556f58d046a52eb7884"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Password Reset Tokens Do Not Expire",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers who suspect email exposure should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImmediately reset their password.\u003c/li\u003e\u003cli\u003eEnable and enforce 2FA.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no complete mitigation without implementing token expiration.\u003c/p\u003e"
}
],
"value": "Users who suspect email exposure should:\n\n* Immediately reset their password.\n* Enable and enforce 2FA.\n\nThere is no complete mitigation without implementing token expiration."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21622",
"datePublished": "2026-03-05T21:18:03.883Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-04-21T04:15:20.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21621 (GCVE-0-2026-21621)
Vulnerability from cvelistv5 – Published: 2026-03-05 19:20 – Updated: 2026-04-06 16:44
VLAI?
Title
Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Summary
Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation.
An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions.
When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access.
If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.
This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2.
This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:03:45.435445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:03:52.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.HexpmWeb.API.OAuthController\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm_web/controllers/api/oauth_controller.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "71c127afebb7ed7cc637eb231b98feb802d62999",
"status": "affected",
"version": "71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-03-05",
"status": "affected",
"version": "2025-08-18",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "71c127afebb7ed7cc637eb231b98feb802d62999",
"versionStartIncluding": "71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.io"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\u003cp\u003eAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\u003c/p\u003e\u003cp\u003eWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\u003c/p\u003e\u003cp\u003eIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm_web/controllers/api/oauth_controller.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.API.OAuthController\u0027 module) allows Privilege Escalation.\n\nAn API key created with read-only permissions (domain: \"api\", resource: \"read\") can be escalated to full write access under specific conditions.\n\nWhen exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad \"api\" scope instead of the expected \"api:read\" scope. This token is therefore treated as having full API access.\n\nIf an attacker is able to obtain a victim\u0027s read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages.\n\nThis vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines \u0027Elixir.HexpmWeb.API.OAuthController\u0027:validate_scopes_against_key/2.\n\nThis issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:09.535Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-739m-8727-j6w3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21621.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21621"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/71c127afebb7ed7cc637eb231b98feb802d62999"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eRevoke and reissue exposed API keys immediately if compromise is suspected.\u003c/li\u003e\u003cli\u003eAvoid relying on read-only API keys as a strict security boundary in high-risk environments.\u003c/li\u003e\u003cli\u003eClosely monitor audit logs for unexpected API key creation events.\u003c/li\u003e\u003cli\u003eEnforce strong 2FA hygiene and protect TOTP seeds carefully.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic.\u003c/p\u003e"
}
],
"value": "* Revoke and reissue exposed API keys immediately if compromise is suspected.\n* Avoid relying on read-only API keys as a strict security boundary in high-risk environments.\n* Closely monitor audit logs for unexpected API key creation events.\n* Enforce strong 2FA hygiene and protect TOTP seeds carefully.\n\nThere is no complete mitigation without upgrading, as the issue exists in server-side scope validation logic."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21621",
"datePublished": "2026-03-05T19:20:05.831Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-04-06T16:44:09.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21619 (GCVE-0-2026-21619)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:57 – Updated: 2026-04-06 16:44
VLAI?
Title
Unsafe Deserialization of Erlang Terms in hex_core
Summary
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.
This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| hexpm | hex_core |
Affected:
eb327f8edfe45507351e38cc0805aa12fa647f0b , < cdf726095bca85ad2549d146df1e831ae93c2b13
(git)
cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:* |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:08:49.652728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:08:57.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hex_api"
],
"packageName": "hexpm/hex_core",
"packageURL": "pkg:github/hexpm/hex_core",
"product": "hex_core",
"programFiles": [
"src/hex_api.erl"
],
"programRoutines": [
{
"name": "hex_core:request/4"
}
],
"repo": "https://github.com/hexpm/hex_core",
"vendor": "hexpm",
"versions": [
{
"lessThan": "cdf726095bca85ad2549d146df1e831ae93c2b13",
"status": "affected",
"version": "eb327f8edfe45507351e38cc0805aa12fa647f0b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hex_api"
],
"packageName": "hex_core",
"packageURL": "pkg:hex/hex_core",
"product": "hex_core",
"programFiles": [
"src/hex_api.erl"
],
"programRoutines": [
{
"name": "hex_core:request/4"
}
],
"repo": "https://github.com/hexpm/hex_core",
"vendor": "hexpm",
"versions": [
{
"lessThan": "0.12.1",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mix_hex_api"
],
"packageName": "hexpm/hex",
"packageURL": "pkg:github/hexpm/hex",
"product": "hex",
"programFiles": [
"src/mix_hex_api.erl"
],
"programRoutines": [
{
"name": "mix_hex_api:request/4"
}
],
"repo": "https://github.com/hexpm/hex",
"vendor": "hexpm",
"versions": [
{
"lessThan": "636739f3322514e9303ca335fb630696fcbb3c95",
"status": "affected",
"version": "314546ac432229518714cc8e3336e916b9da6305",
"versionType": "git"
}
]
},
{
"cpes": [
"cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mix_hex_api"
],
"packageName": "hex",
"packageURL": "pkg:otp/hex?repository_url=https:%2F%2Fgithub.com%2Fhexpm%2Fhex.git\u0026vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Fhexpm%2Fhex.git",
"product": "hex",
"programFiles": [
"src/mix_hex_api.erl"
],
"programRoutines": [
{
"name": "mix_hex_api:request/4"
}
],
"repo": "https://github.com/hexpm/hex",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2.3.2",
"status": "affected",
"version": "2.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"r3_hex_api"
],
"packageName": "erlang/rebar3",
"packageURL": "pkg:github/erlang/rebar3",
"product": "rebar3",
"programFiles": [
"apps/rebar/src/vendored/r3_hex_api.erl"
],
"programRoutines": [
{
"name": "r3_hex_api:request/4"
}
],
"repo": "https://github.com/erlang/rebar3",
"vendor": "erlang",
"versions": [
{
"lessThan": "1d4478f527e373de0b225951e53115450e0d9b9d",
"status": "affected",
"version": "209c02ec57c2cc3207ee0174c3af3675b8dc8f79",
"versionType": "git"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"r3_hex_api"
],
"packageName": "rebar3",
"packageURL": "pkg:otp/rebar3?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Frebar3.git\u0026vcs_url=git%2Bhttps:%2F%2Fgithub.com%2Ferlang%2Frebar3.git",
"product": "rebar3",
"programFiles": [
"apps/rebar/src/vendored/r3_hex_api.erl"
],
"programRoutines": [
{
"name": "r3_hex_api:request/4"
}
],
"repo": "https://github.com/erlang/rebar3",
"vendor": "erlang",
"versions": [
{
"lessThan": "3.27.0",
"status": "affected",
"version": "3.9.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.1",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.2",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.27.0",
"versionStartIncluding": "3.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.ia"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/hex_api.erl\u003c/tt\u003e, \u003ctt\u003esrc/mix_hex_api.erl\u003c/tt\u003e, \u003ctt\u003eapps/rebar/src/vendored/r3_hex_api.erl\u003c/tt\u003e and program routines \u003ctt\u003ehex_core:request/4\u003c/tt\u003e, \u003ctt\u003emix_hex_api:request/4\u003c/tt\u003e, \u003ctt\u003er3_hex_api:request/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.\n\nThis issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
},
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:11.526Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21619.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21619"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe Deserialization of Erlang Terms in hex_core",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21619",
"datePublished": "2026-02-27T17:57:11.513Z",
"dateReserved": "2026-01-01T03:46:45.933Z",
"dateUpdated": "2026-04-06T16:44:11.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23939 (GCVE-0-2026-23939)
Vulnerability from cvelistv5 – Published: 2026-02-26 19:41 – Updated: 2026-04-07 14:38
VLAI?
Title
Path Traversal in Local File Store Backend
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.
This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.
This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T20:24:13.786958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T20:24:24.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Hexpm.Store.Local\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm/store/local.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Hexpm.Store.Local\u0027:get/3"
},
{
"name": "\u0027Elixir.Hexpm.Store.Local\u0027:put/4"
},
{
"name": "\u0027Elixir.Hexpm.Store.Local\u0027:delete/2"
},
{
"name": "\u0027Elixir.Hexpm.Store.Local\u0027:delete_many/2"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0",
"status": "affected",
"version": "931ee0ed46fa89218e0400a4f6e6d15f96406050",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only self-hosted hexpm deployments using the \u003ctt\u003eHexpm.Store.Local\u003c/tt\u003e storage backend are affected. The hex.pm service and deployments using S3-compatible object storage backends are not affected."
}
],
"value": "Only self-hosted hexpm deployments using the Hexpm.Store.Local storage backend are affected. The hex.pm service and deployments using S3-compatible object storage backends are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0",
"versionStartIncluding": "931ee0ed46fa89218e0400a4f6e6d15f96406050",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.io"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Store.Local\u0027 module) allows Relative Path Traversal.\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm/store/local.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Hexpm.Store.Local\u0027:get/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Hexpm.Store.Local\u0027:put/4\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Hexpm.Store.Local\u0027:delete/2\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Hexpm.Store.Local\u0027:delete_many/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Store.Local\u0027 module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines \u0027Elixir.Hexpm.Store.Local\u0027:get/3, \u0027Elixir.Hexpm.Store.Local\u0027:put/4, \u0027Elixir.Hexpm.Store.Local\u0027:delete/2, \u0027Elixir.Hexpm.Store.Local\u0027:delete_many/2.\n\nThis issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.\n\nThis issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:03.183Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-23939.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-23939"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Path Traversal in Local File Store Backend",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid the local file store backend in any exposed environment.\u003c/li\u003e\u003cli\u003eRestrict network access to the registry when using the local backend.\u003c/li\u003e\u003cli\u003eProduction deployments should use object storage (e.g., S3-compatible backends) instead of the local filesystem store.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid the local file store backend in any exposed environment.\n* Restrict network access to the registry when using the local backend.\n* Production deployments should use object storage (e.g., S3-compatible backends) instead of the local filesystem store."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-23939",
"datePublished": "2026-02-26T19:41:18.762Z",
"dateReserved": "2026-01-19T14:23:14.343Z",
"dateUpdated": "2026-04-07T14:38:03.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21620 (GCVE-0-2026-21620)
Vulnerability from cvelistv5 – Published: 2026-02-20 10:57 – Updated: 2026-04-07 14:38
VLAI?
Title
TFTP Path Traversal
Summary
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.
This issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21620",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T13:36:03.423294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T13:36:39.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/tftp/src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "26.2.5.17",
"status": "unaffected"
},
{
"at": "27.3.4.8",
"status": "unaffected"
},
{
"at": "28.3.2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "655fb95725ba2fb811740b57e106873833824344",
"status": "unaffected"
},
{
"at": "3970738f687325138eb75f798054fa8960ac354e",
"status": "unaffected"
},
{
"at": "696fdec922661d4a3cc528fc34bc24fae8d4ad8a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"lessThan": "7.0",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"tftp_file"
],
"packageName": "tftp",
"packageURL": "pkg:otp/tftp?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tftp_file.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "1.1.1.1",
"status": "unaffected"
},
{
"at": "1.2.2.1",
"status": "unaffected"
},
{
"at": "1.2.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.0",
"versionType": "otp"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the \u003ctt\u003etftp\u003c/tt\u003e application (or the legacy \u003ctt\u003einets\u003c/tt\u003e TFTP service) with the \u003ctt\u003etftp_file\u003c/tt\u003e callback module configured with the \u003ctt\u003e{root_dir, Dir}\u003c/tt\u003e option."
}
],
"value": "A TFTP server must be started and the TFTP port must be reachable by the attacker, using the tftp application (or the legacy inets TFTP service) with the tftp_file callback module configured with the {root_dir, Dir} option."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.8",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.3.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Luigino Camastra"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Raimo Niskanen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/tftp/src/tftp_file.erl\u003c/tt\u003e, \u003ctt\u003esrc/tftp_file.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0.\u003c/p\u003e"
}
],
"value": "Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal. This vulnerability is associated with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.\n\nThis issue affects otp: from 17.0, from 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp: from 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:08.771Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21620.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21620"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10706"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "TFTP Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21620",
"datePublished": "2026-02-20T10:57:08.620Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-04-07T14:38:08.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21618 (GCVE-0-2026-21618)
Vulnerability from cvelistv5 – Published: 2026-01-19 14:22 – Updated: 2026-04-06 16:44
VLAI?
Title
Cross-site scripting (XSS) in OAuth Device Authorization screen
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.
This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:16:45.709727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:16:57.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm_web/views/shared_authorization_view.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027:render_grouped_scopes/3"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "c692438684ead90c3bcbfb9ccf4e63c768c668a8",
"status": "affected",
"version": "617e44c71f1dd9043870205f371d375c5c4d886d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-01-19",
"status": "affected",
"version": "2025-10-01",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "c692438684ead90c3bcbfb9ccf4e63c768c668a8",
"versionStartIncluding": "617e44c71f1dd9043870205f371d375c5c4d886d",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joud Zakharia / zentrust partners GmbH"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027 modules) allows Cross-Site Scripting (XSS).\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/hexpm_web/views/shared_authorization_view.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027:render_grouped_scopes/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in hexpm hexpm/hexpm (\u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027 modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines \u0027Elixir.HexpmWeb.SharedAuthorizationView\u0027:render_grouped_scopes/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:10.863Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21618.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21618"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting (XSS) in OAuth Device Authorization screen",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21618",
"datePublished": "2026-01-19T14:22:46.770Z",
"dateReserved": "2026-01-01T03:46:45.933Z",
"dateUpdated": "2026-04-06T16:44:10.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48044 (GCVE-0-2025-48044)
Vulnerability from cvelistv5 – Published: 2025-10-17 13:52 – Updated: 2026-04-16 04:16
VLAI?
Title
Authorization bypass when bypass policy condition evaluates to true
Summary
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.
This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ash-project | ash |
Affected:
3.6.3 , < 3.7.1
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:42:50.579615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:59:25.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/policy.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.7.1",
"status": "affected",
"version": "3.6.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/policy.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d",
"status": "affected",
"version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.7.1",
"versionStartIncluding": "3.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Jechol Lee"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jechol Lee"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Zach Daniel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/policy.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Policy\u0027:expression/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines \u0027Elixir.Ash.Policy.Policy\u0027:expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T04:16:08.167Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48044.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"
}
],
"source": {
"discovery": "USER"
},
"title": "Authorization bypass when bypass policy condition evaluates to true",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48044",
"datePublished": "2025-10-17T13:52:53.644Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-16T04:16:08.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48043 (GCVE-0-2025-48043)
Vulnerability from cvelistv5 – Published: 2025-10-10 15:57 – Updated: 2026-04-06 16:44
VLAI?
Title
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
Summary
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.
This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ash-project | ash |
Affected:
0 , < 3.6.2
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T16:33:21.270063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T16:45:42.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/authorizer/authorizer.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/authorizer/authorizer.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "66d81300065b970da0d2f4528354835d2418c7ae",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation reviewer",
"value": "Zach Daniel"
},
{
"lang": "en",
"type": "reporter",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/authorizer/authorizer.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines \u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:04.990Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48043.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"
}
],
"source": {
"discovery": "USER"
},
"title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48043",
"datePublished": "2025-10-10T15:57:29.225Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-06T16:44:04.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48041 (GCVE-0-2025-48041)
Vulnerability from cvelistv5 – Published: 2025-09-11 08:14 – Updated: 2026-04-07 14:38
VLAI?
Title
SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
Summary
Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:20.449625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:24.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "5f9af63eec4657a37663828d206517828cb9f288",
"status": "unaffected"
},
{
"at": "d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting \u003ctt\u003e{subsystems, []}\u003c/tt\u003e in the SSH daemon configuration."
}
],
"value": "The SFTP subsystem must be enabled on the SSH server and the SSH port must be reachable by the attacker. SFTP is enabled by default unless explicitly disabled by setting {subsystems, []} in the SSH daemon configuration."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:38:02.322Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48041.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48041"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10157"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/5f9af63eec4657a37663828d206517828cb9f288"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003edisabling SFTP\u003ctt\u003e\u003c/tt\u003e\u003c/li\u003e\u003cli\u003elimiting number of \u003ctt\u003emax_sessions\u003c/tt\u003e allowed for \u003ctt\u003esshd\u003c/tt\u003e, so exploiting becomes more complicated\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* disabling SFTP\n * limiting number of max_sessions allowed for sshd, so exploiting becomes more complicated"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48041",
"datePublished": "2025-09-11T08:14:20.508Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-07T14:38:02.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48040 (GCVE-0-2025-48040)
Vulnerability from cvelistv5 – Published: 2025-09-11 08:14 – Updated: 2026-04-06 16:44
VLAI?
Title
Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
Summary
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.
This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:30:33.529743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:36:29.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "5.3.3",
"status": "unaffected"
},
{
"at": "5.2.11.3",
"status": "unaffected"
},
{
"at": "5.1.4.12",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"ssh_sftp"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "28.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.3",
"status": "unaffected"
},
{
"at": "26.2.5.15",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a",
"status": "unaffected"
},
{
"at": "548f1295d86d0803da884db8685cc16d461d0d5a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "07b8f441ca711f9812fad9e9115bab3c3aa92f79",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "26.2.5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.3",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Jakub Witczak"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Andin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl.\n\nThis issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:44:01.688Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48040.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48040"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/pull/10162"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Malicious Key Exchange Messages may Lead to Excessive Resource Consumption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eset option \u003ctt\u003eparallel_login\u003c/tt\u003e to \u003ctt\u003efalse\u003c/tt\u003e\u003c/li\u003e\u003cli\u003ereduce \u003ctt\u003emax_sessions\u003c/tt\u003e option\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* set option parallel_login to false\n * reduce max_sessions option"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48040",
"datePublished": "2025-09-11T08:14:19.671Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-04-06T16:44:01.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}