8 matches found
CVE-2026-48853
A flaw was found in the grpc component of elixir-grpc. This vulnerability allows unauthenticated attackers to send specially crafted messages, leading to two critical outcomes. First, it can cause a Denial of Service DoS by crashing the Erlang virtual machine BEAM node. Second, under certain...
EEF-CVE-2026-54888 Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document struct and Comrak's internal AST using two mutually recursive Rust functions, ex\document\to\comrak\ast and...
EUVD-2026-31691
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes...
MPEG-4 container plugin for Membrane Framework 安全漏洞
The MPEG-4 container plugin for Membrane Framework is an open-source plugin developed by Membrane Framework for parsing and multiplexing MP4 containers. Versions of the MPEG-4 container plugin for Membrane Framework from 0.3.0 to 0.36.7 contained security vulnerabilities. These vulnerabilities...
CVE-2026-48593
Uncontrolled Resource Consumption vulnerability in oban-bg obanweb 'Elixir.Oban.Web.CronExpr' modules allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 ". When a user with...
GHSA-QF4G-9FQQ-MMM7 Absinthe: Unbounded atom creation from parsed directive name
Summary When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard 1,048,576 atom-table limit, any application that feeds...
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...
PT-2026-29495
Summary Ash.Type.Module.cast input/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has...