Hexpm
CVE-2026-21618
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.
This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.
AnalysisAI
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects from 2025-10-01. Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.
This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relativ
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today