298 matches found
CVE-2026-48853
A flaw was found in the grpc component of elixir-grpc. This vulnerability allows unauthenticated attackers to send specially crafted messages, leading to two critical outcomes. First, it can cause a Denial of Service DoS by crashing the Erlang virtual machine BEAM node. Second, under certain...
EUVD-2026-31974
obanweb: Unbounded range expansion in cron describe causes memory exhaustion...
CVE-2026-54889
Summary: CVE-2026-54889 security issue in Elixir.MDEx.mdex Delta conversion path allows XSS via unsanitized URL schemes in Quill Delta output. The vulnerability arises when Elixir.MDEx.DeltaConverter.default_convert_node/3 copies the URL from link, wikilink, or image nodes into the Delta attribut...
CVE-2026-54889 Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Improper Neutralization of Input During Web Page Generation XSS vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':todelta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':defaultconvertnode/3 in...
CVE-2026-54888 Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input. mdex converts between an Elixir %MDEx.Document struct and Comrak's internal AST using two mutually recursive Rust functions, exdocumenttocomrakast and comrakasttoexdocument, in the NI...
CVE-2026-49762
A flaw was found in the Elixir standard library's Version module. A remote attacker can exploit this uncontrolled resource consumption vulnerability by providing a specially crafted, excessively long version string. This malicious input forces the system to perform a super-linear,...
CVE-2026-53430
Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...
CVE-2026-48854
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':readfullbody/3...
CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code...
EUVD-2026-37015
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code...
EEF-CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
Summary Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote...
CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...
CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...
EUVD-2026-37014
Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...
EEF-CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Summary Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex,...
CVE-2026-48599 Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...
EEF-CVE-2026-48599 Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
Summary Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...
EUVD-2026-37013
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...
CVE-2026-48599 Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...
CVE-2026-48599
This CVE affects elixir-grpc/grpc (HTTP transcoding) where path-bound fields can be overridden by attacker-controlled values due to Map.merge/2 precedence in Elixir.GRPC.Server.Transcode:map_request/5. The underlying issue allows an authenticated attacker to access or modify resources of other us...