Is there a public PoC exploit available for CVE-2026-32686?

Yes, a public proof-of-concept exploit is available for CVE-2026-32686. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for CVE-2026-32686?

Yes, a patch is available for CVE-2026-32686. Update the affected software to the latest version immediately.

ericmj decimal CVE-2026-32686

Q: What is the CVSS score of CVE-2026-32686?

CVE-2026-32686 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-28376 MEDIUM

Uncontrolled Resource Consumption (CWE-400)

2026-05-07 EEF

GHSA-rhv4-8758-jx7v

Denial Of Service

6.9

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 07, 2026 - 17:00 vuln.today

Analysis Generated

May 07, 2026 - 17:00 vuln.today

CVSS changed

May 07, 2026 - 15:22 NVD

6.9 (MEDIUM)

CVE Published

May 07, 2026 - 14:04 nvd

UNKNOWN (no severity yet)

CVE Published

May 07, 2026 - 14:04 nvd

MEDIUM 6.9

DescriptionNVD

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.

The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.

Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.

This issue affects decimal: from 0.1.0 before 3.0.0.

AnalysisAI

Uncontrolled resource consumption in ericmj decimal library (versions 0.1.0 before 3.0.0) allows remote denial of service via maliciously crafted decimal values with extremely large exponents. When applications parse user-supplied decimal input and subsequently perform arithmetic operations, string formatting, rounding, or comparison, the library allocates memory proportional to the exponent magnitude without bounds, exhausting available memory and crashing the BEAM virtual machine. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32686 vulnerability details – vuln.today

Back

ericmj decimal CVE-2026-32686

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

ericmj decimal CVE-2026-32686

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code