CVE-2026-28808

🗓️ 07 Apr 2026 13:16:00Reported by ubuntu.comType

Incorrect authorization in Erlang runtime inets exposes CGI scripts via script_alias mapping outside DocumentRoot.

Reporter	Title	Published	Views	Family All 39
ATTACKERKB	CVE-2026-28808	7 Apr 202612:28	–	attackerkb
CBLMariner	CVE-2026-28808 affecting package erlang for versions less than 26.2.5.19-1	27 Apr 202621:30	–	cbl_mariner
Circl	CVE-2026-28808	7 Apr 202615:21	–	circl
CNNVD	Erlang/OTP 安全漏洞	7 Apr 202600:00	–	cnnvd
CVE	CVE-2026-28808	7 Apr 202612:28	–	cve
Cvelist	CVE-2026-28808 ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)	7 Apr 202612:28	–	cvelist
Debian CVE	CVE-2026-28808	7 Apr 202612:28	–	debiancve
EUVD	EUVD-2026-19602	7 Apr 202612:28	–	euvd
Fedora	[SECURITY] Fedora 44 Update: erlang-26.2.5.19-1.fc44	25 Apr 202601:55	–	fedora
Fedora	[SECURITY] Fedora 43 Update: erlang-26.2.5.19-1.fc43	16 Apr 202600:56	–	fedora

OS	OS Version	Architecture	Package	Filename
Ubuntu	26.04	any	erlang	erlang_0_any.deb
Ubuntu	14.04	any	erlang	erlang_0_any.deb
Ubuntu	16.04	any	erlang	erlang_0_any.deb
Ubuntu	18.04	any	erlang	erlang_0_any.deb
Ubuntu	20.04	any	erlang	erlang_0_any.deb
Ubuntu	22.04	any	erlang	erlang_0_any.deb
Ubuntu	24.04	any	erlang	erlang_0_any.deb
Ubuntu	25.10	any	erlang	erlang_0_any.deb

Source	Link
cve	www.cve.org/CVERecord
github	www.github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
github	www.github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688
cna	www.cna.erlef.org/cves/CVE-2026-28808.html
github	www.github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c
osv	www.osv.dev/vulnerability/EEF-CVE-2026-28808
erlang	www.erlang.org/doc/system/versions.html

08 Apr 2026 18:35Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.8

CVSS 48.3

EPSS0.00495

SSVC