CVE-2026-23939

The CVE-2026-23939 issue affects the Local Storage backend of hexpm (Elixir.Hexpm.Store.Local) used in self-hosted deployments. The vulnerability is a path traversal flaw in local storage routines get/3, put/4, delete/2, and delete_many/2 within lib/hexpm/store/local.ex, allowing relative path tr...

CVE-2026-21618

Summary: CVE-2026-21618 is an XSS vulnerability in hexpm (hexpm/hexpm) affecting Elixir HexpmWeb.SharedAuthorizationView. The issue stems from improper input neutralization in web page generation, specifically in lib/hexpm_web/views/shared_authorization_view.ex and the function render_grouped_sco...

CVE-2026-21621

CVE-2026-21621 affects the Hex.pm application (hexpm/hexpm). The vulnerability arises from the OAuth client_credentials flow in Elixir.HexpmWeb.API.OAuthController (validate_scopes_against_key/2), where a read-only API key (domain: api, resource: read) loses its scope and is issued a broad api sc...

CVE-2026-21622

The CVE-2026-21622 vulnerability affects hexpm (Elixir.Hexpm.Accounts.PasswordReset) where password reset tokens do not expire. The issue arises in the PasswordReset flow (lib/hexpm/accounts/password_reset.ex; Elixir.Hexpm.Accounts.PasswordReset:can_reset?/3), allowing tokens to remain valid inde...

CVE-2026-23940

CVE-2026-23940 describes an Uncontrolled Resource Consumption vulnerability in hexpm/hexpm that allows Excessive Allocation during package upload. Publishing an oversized package can exhaust memory during tarball extraction, potentially terminating the affected Hex.pm instance and causing a denia...