cbcvebase.

Hexpm Hex.Pm vulnerabilities

4 known vulnerabilities affecting hexpm/hex.pm.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-21622P2CRITICALCVSS 9.8≥ 2025-08-01, < 2026-03-052026-03-05
CVE-2026-21622 [CRITICAL] CWE-613 CVE-2026-21622: Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordR Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefi
nvd
CVE-2026-23940P3MEDIUMCVSS 6.5fixed in 2026-03-102026-03-13
CVE-2026-23940 [MEDIUM] CWE-400 CVE-2026-23940: Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Pu Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other pack
nvd
CVE-2026-21621P3MEDIUMCVSS 5.3≥ 2025-08-18, < 2026-03-052026-03-05
CVE-2026-21621 [MEDIUM] CWE-863 CVE-2026-21621: Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' mo Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions. When exchanging a read-only API key via the OAuth client_credentials
nvd
CVE-2026-21618P4MEDIUMCVSS 6.1≥ 2025-10-01, < 2026-01-192026-01-19
CVE-2026-21618 [MEDIUM] CWE-79 CVE-2026-21618: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb
nvd
Hexpm Hex.Pm vulnerabilities | cvebase