Skip to main content

Hexpm

5 CVEs product

Monthly

CVE-2026-23940 HIGH PATCH This Week

An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.

Denial Of Service Hexpm Hex Pm
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21622 CRITICAL Act Now

Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.

Information Disclosure Hexpm
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.1%
CVE-2026-21621 HIGH This Week

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Privilege Escalation Authentication Bypass Hexpm
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-23939 MEDIUM This Month

Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.

Path Traversal Hexpm
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21618 HIGH This Week

Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.

XSS Hexpm
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.

Denial Of Service Hexpm Hex Pm
NVD GitHub VulDB
EPSS 0% CVSS 9.5
CRITICAL Act Now

Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.

Information Disclosure Hexpm
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH This Week

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Privilege Escalation Authentication Bypass Hexpm
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.

Path Traversal Hexpm
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.

XSS Hexpm
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy