21 matches found
EUVD-2026-33928
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers gleamfiles, nativefiles, privatefiles in compiler-cli/src/fs.rs use followlinkstrue when walking publishable directories...
CVE-2025-48043
CVE-2025-48043 describes an Incorrect Authorization vulnerability in the Ash Framework ('ash') that allows authentication bypass via the policy authorizer. The issue is tied to lib/ash/policy/authorizer/authorizer.ex and Elixir.Ash.Policy.Authorizer:strict_filters/2 and affects ash versions prior...
EUVD-2019-1732
Malware in sbrugna...
EUVD-2022-4868
Malicious code in bioql PyPI...
PT-2025-36416
Name of the Vulnerable Software and Affected Versions: ash versions prior to 3.5.39 Description: An incorrect authorization vulnerability exists in ash, allowing exploitation of incorrectly configured access control security levels. This issue is associated with program files...
CVE-2020-15150
There is a vulnerability in Paginator Elixir/Hex package which makes it susceptible to Remote Code Execution RCE attacks via input parameters to the paginate function. This will potentially affect all current users of Paginator prior to version 1.0.0. The vulnerability has been patched in version...
CVE-2020-5205
In Pow Hex package before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability...
CVE-2020-5205
In Pow Hex package before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability...
CVE-2020-5205 Session fixation attack in Pow (Hex package)
In Pow Hex package before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability...
CVE-2020-5205
CVE-2020-5205 affects Pow (Hex package) prior to 1.0.16 in Pow.Plug.Session when a persistent session store (e.g., Redis or database) is used. The vulnerability enables session fixation attacks due to how Plug.Session handles the session across persistent stores; cookie store usage (common in Pho...
The vulnerability of the Hex package manager, related to insufficient validation of input data, allows for the execution of arbitrary code.
The vulnerability of the package manager Hex is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by loading packages from a malicious mirror site...
CVE-2019-1000012
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised...
CVE-2019-1000013
Hex package manager hexcore version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromis...
CVE-2019-1000012
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised...
CVE-2019-1000013
Hex package manager hexcore version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromis...
Design/Logic Flaw
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised...
Design/Logic Flaw
Hex package manager hexcore version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromis...
CVE-2019-1000013
Hex package manager hexcore version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromis...
CVE-2019-1000012
Hex package manager versions 0.14.0–0.18.2 contain a signing oracle vulnerability in the package registry verification, which can allow package modifications to go undetected and lead to code execution when victims fetch packages from a malicious/compromised mirror. The issue is tied to the regis...
CVE-2019-1000013
Hex Core (Hex package manager) versions 0.3.0 and earlier contain a Signing oracle vulnerability in the Package registry verification that can allow code execution. The issue arises when a victim fetches packages from a malicious or compromised mirror, potentially modifying packages without detec...