Hexpm
Monthly
An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.
An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.