Skip to main content

Plug

5 CVEs product

Monthly

CVE-2026-54892 HIGH PATCH This Week

Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). Plug.Conn.Query.decode/4 exhibits quadratic algorithmic complexity in the number of nesting levels, so a single 1 MB request can produce ~333,000 levels and freeze a Plug-based server for minutes. No public exploit identified at time of analysis, but the trigger is trivial and the upstream fix is already merged across multiple release branches.

Denial Of Service Plug
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-8468 HIGH PATCH GHSA This Week

Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.

Denial Of Service Plug
NVD GitHub
CVSS 4.0
8.2
EPSS
0.3%
CVE-2018-1000883 MEDIUM PATCH This Month

Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Plug
NVD GitHub
CVSS 3.0
6.5
EPSS
1.1%
CVE-2017-1000053 HIGH This Week

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Plug
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2017-1000052 HIGH This Week

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component, which may allow users to bypass filetype restrictions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Plug
NVD
CVSS 3.1
7.8
EPSS
0.2%
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). Plug.Conn.Query.decode/4 exhibits quadratic algorithmic complexity in the number of nesting levels, so a single 1 MB request can produce ~333,000 levels and freeze a Plug-based server for minutes. No public exploit identified at time of analysis, but the trigger is trivial and the upstream fix is already merged across multiple release branches.

Denial Of Service Plug
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.

Denial Of Service Plug
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Plug
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Plug
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component, which may allow users to bypass filetype restrictions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Plug
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy