Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

hex

hex

56 packages · hex.pm

Security Advisories in hex

High
2 days ago

ex_aws_sns SigningCertURL not validated in verify_message/1 EEF-CVE-2026-47074

hex ex_aws_sns
Medium
4 days ago

Missing authorization check on save-job event handler in oban_web EEF-CVE-2026-48592

hex oban_web
Medium
4 days ago

Unbounded range expansion in cron describe causes memory exhaustion in oban_web EEF-CVE-2026-48593

hex oban_web
High
5 days ago

Unbounded memory consumption in WebSocket client in hackney EEF-CVE-2026-47073

hex hackney
High
5 days ago

Atom table exhaustion via unrecognized URL schemes in hackney EEF-CVE-2026-47067

hex hackney
Medium
5 days ago

CRLF injection in WebSocket upgrade request in hackney EEF-CVE-2026-47072

hex hackney
Medium
5 days ago

SSRF allowlist bypass via percent-encoded host in hackney EEF-CVE-2026-47076

hex hackney
Medium
5 days ago

HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney EEF-CVE-2026-47070

hex hackney
Medium
5 days ago

CR/LF injection in query parameter in hackney EEF-CVE-2026-47075

hex hackney
High
5 days ago

Unbounded body accumulation in HTTP/3 response loop in hackney EEF-CVE-2026-47077

hex hackney
High
5 days ago

SOCKS5 TLS upgrade ignores caller timeout in hackney EEF-CVE-2026-47071

hex hackney
High
5 days ago

Infinite loop in Alt-Svc header parser in hackney EEF-CVE-2026-47066

hex hackney
Low
5 days ago

CRLF injection in cookie domain/path options in hackney EEF-CVE-2026-47069

hex hackney
High
10 days ago

Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service GSA_kwCzR0hTQS00NjhjLXZxN3AtZ2g2NM4ABXJu

hex plug
Low
10 days ago

Cross-session PubSub topic injection via URL parameter in phoenix_storybook EEF-CVE-2026-47068

hex phoenix_storybook
Critical
10 days ago

Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground EEF-CVE-2026-8467

hex phoenix_storybook
High
10 days ago

Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook EEF-CVE-2026-8469

hex phoenix_storybook
High
11 days ago

Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder GSA_kwCzR0hTQS1yZjVxLXZ3eHctZ21yZs4ABXHZ

hex bandit
High
11 days ago

Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked` GSA_kwCzR0hTQS05cTlxLTMyNHgtOTNyMs4ABXHY

hex bandit
High
12 days ago

Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3` GSA_kwCzR0hTQS1yNzNoLTk3dzgtbTU0aM4ABXBc

hex postgrex
High
16 days ago

Absinthe: Quadratic fragment-name uniqueness check GSA_kwCzR0hTQS05bWh2LThoNTItcTdxMs4ABW2h

hex absinthe
High
16 days ago

Absinthe: Unbounded atom creation from parsed directive name GSA_kwCzR0hTQS1xZjRnLTlmcXEtbW1tN84ABW2g

hex absinthe
High
16 days ago

Unbounded buffer accumulation in multipart header parsing causes denial of service in plug EEF-CVE-2026-8468

hex plug
High
17 days ago

Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy GSA_kwCzR0hTQS1qZmMyLXE2cWgtZzV4OM4ABW07

hex cowboy
High
17 days ago

cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame GSA_kwCzR0hTQS04NGYyLXJwODYtMjM1cM4ABW1C

hex cowlib
High
17 days ago

Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame EEF-CVE-2026-43970

hex cowlib
High
17 days ago

Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy EEF-CVE-2026-8466

hex cowboy
High
17 days ago

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit EEF-CVE-2026-39806

hex bandit
High
17 days ago

HTTP/1 chunked body reader ignores length cap in bandit EEF-CVE-2026-39803

hex bandit
Moderate
18 days ago

Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS GSA_kwCzR0hTQS1yaHY0LTg3NTgtang3ds4ABWsf

hex decimal
High
18 days ago

SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3 EEF-CVE-2026-32687

hex postgrex
High
19 days ago

cowlib cow_http_te module: Uncontrolled Resource Consumption vulnerability allows Excessive Allocation GSA_kwCzR0hTQS0zMnA5LTU3Y3ItNHg2Nc4ABWml

hex cowlib
Moderate
19 days ago

ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values GSA_kwCzR0hTQS1odjIzLTRxcDctOGM4cs4ABWm0

hex cowlib
Low
19 days ago

cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1 GSA_kwCzR0hTQS1nMndtLTczNXEtM2Y1Ns4ABWms

hex cowlib
Medium
19 days ago

CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1 EEF-CVE-2026-43968

hex cowlib
High
19 days ago

Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS EEF-CVE-2026-7790

hex cowlib
Low
19 days ago

Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1 EEF-CVE-2026-43969

hex cowlib
High
22 days ago

Phoenix: Long-poll NDJSON body splitting causes large memory allocation GSA_kwCzR0hTQS02MjhoLXE0OGotanI2cc4ABWgF

hex phoenix
Low
22 days ago

absinthe_plug Has a Cross-site Scripting vulnerability GSA_kwCzR0hTQS1jNjJnLWozNDYtMzl2Nc4ABWfi

hex absinthe_plug
High
22 days ago

ex_webrtc client-role handshake is missing DTLS peer fingerprint validation GSA_kwCzR0hTQS1xd2Z3LWdneHctNTc3Y84ABWfP

hex ex_webrtc
High
22 days ago

Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe EEF-CVE-2026-42793

hex absinthe
Low
22 days ago

Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug EEF-CVE-2026-42794

hex absinthe_plug
High
22 days ago

Quadratic fragment-name uniqueness check causes denial of service in absinthe EEF-CVE-2026-43967

hex absinthe
Medium
23 days ago

Unbounded exponent in decimal enables unauthenticated DoS EEF-CVE-2026-32686

hex decimal
Moderate
23 days ago

Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion GSA_kwCzR0hTQS1xNnY5LXIyMjYtdjY1Zs4ABWYH

hex bandit
Moderate
23 days ago

Bandit trusts client-supplied URI scheme on plaintext connections GSA_kwCzR0hTQS0zNzVmLTRyMmgtZjk5as4ABWYG

hex bandit
Moderate
23 days ago

Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header GSA_kwCzR0hTQS1jNjdyLWdjOWotMnFmN84ABWYF

hex bandit
High
23 days ago

Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion GSA_kwCzR0hTQS1wZjk0LTk0bTktNTM2cM4ABWYE

hex bandit
High
23 days ago

Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame GSA_kwCzR0hTQS1mcmgzLTZwdjYtcmM4as4ABWYD

hex bandit
High
25 days ago

Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion GSA_kwCzR0hTQS1xOHg0LXg3bXAtNXZnMs4ABWNp

hex plug_cowboy
High
25 days ago

Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix EEF-CVE-2026-32689

hex phoenix
Medium
29 days ago

CL.CL HTTP request smuggling via duplicate Content-Length in bandit EEF-CVE-2026-39805

hex bandit
High
29 days ago

WebSocket permessage-deflate inflate has no output-size cap in bandit EEF-CVE-2026-39804

hex bandit
Medium
29 days ago

Client-supplied URI scheme trusted without transport verification in bandit EEF-CVE-2026-39807

hex bandit
High
29 days ago

WebSocket fragmented message reassembly unbounded in bandit EEF-CVE-2026-42786

hex bandit
Medium
29 days ago

HTTP/2 frame size limit checked after body is buffered in bandit EEF-CVE-2026-42788

hex bandit
High
about 1 month ago

Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy EEF-CVE-2026-32688

hex plug_cowboy
High
about 2 months ago

wisp has Allocation of Resources Without Limits or Throttling GSA_kwCzR0hTQS04NjQ1LXAydjQtNzNyMs4ABUq6

hex wisp
High
about 2 months ago

Multipart form body parser bypasses body size limits in wisp EEF-CVE-2026-32145

hex wisp
Moderate
about 2 months ago

ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) GSA_kwCzR0hTQS14MnczLTIzanItaHJwZs4ABUl3

hex ewe
High
about 2 months ago

Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash GSA_kwCzR0hTQS1qamY5LXc1dmotcjZ2cM4ABUh4

hex ash
High
2 months ago

elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition GSA_kwCzR0hTQS1yd2NyLXJwY2MtM2c5bc4ABUU2

hex nodejs
Moderate
2 months ago

esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages GSA_kwCzR0hTQS00ZzJoLXZtN3gtNzQ3Y84ABUBu

hex esaml
High
2 months ago

Loop with Unreachable Exit Condition ('Infinite Loop') in ewe GSA_kwCzR0hTQS00dzk4LXhmMzktMjNncM4ABTvD

hex ewe
Moderate
2 months ago

Permissive List of Allowed Inputs in ewe GSA_kwCzR0hTQS05dzg4LTc5ZjgtbTN2cM4ABTvC

hex ewe
High
3 months ago

Wisp Vulnerable to Path Traversal GSA_kwCzR0hTQS1oN2NqLWoydnYtcXc4cs4ABTbx

hex wisp
High
3 months ago

Path Traversal in wisp.serve_static allows arbitrary file read EEF-CVE-2026-28807

hex wisp
Low
3 months ago

hex_core has Unsafe Deserialization of Erlang Terms GSA_kwCzR0hTQS1oeDl3LWYydzktOWc5Ns4ABS7c

hex hex_core
Low
3 months ago

Unsafe Deserialization of Erlang Terms in hex_core EEF-CVE-2026-21619

hex hex_core
Moderate
6 months ago

ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay GSA_kwCzR0hTQS02Z3ZxLWpjbXAtODk1Oc4ABPvn

hex, pypi, rubygems, maven, go, packagist, npm altcha, org.altcha:altcha, github.com/altcha-org/altcha-lib-go, altcha-org/altcha, altcha-lib
High
7 months ago

Ash has authorization bypass when bypass policy condition evaluates to true GSA_kwCzR0hTQS1wY3hxLWZqcDMtcjc1Ms4ABNg8

hex ash
High
7 months ago

Authorization bypass when bypass policy condition evaluates to true EEF-CVE-2025-48044

hex ash
High
8 months ago

Ash Framework: Filter authorization misapplies impossible bypass/runtime policies GSA_kwCzR0hTQS03cjdmLTl4cGotam1yN84ABNUK

hex ash
High
8 months ago

Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization EEF-CVE-2025-48043

hex ash
High
9 months ago

Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden GSA_kwCzR0hTQS1qajRqLXg1d3ctY3doOc4ABMIL

hex ash
High
9 months ago

Before action hooks may execute in certain scenarios despite a request being forbidden EEF-CVE-2025-48042

hex ash
Low
12 months ago

Missing Session Revocation on Logout in ash_authentication_phoenix EEF-CVE-2025-4754

hex ash_authentication_phoenix
Low
12 months ago

ash_authentication_phoenix has Insufficient Session Expiration GSA_kwCzR0hTQS1mN2dxLWg4anYtaDNjcc4ABJFp

hex ash_authentication_phoenix
Low
about 1 year ago

Hackney fails to properly release HTTP connections to the pool GSA_kwCzR0hTQS05Zm05LWhwN3AtNTNtZs4ABIbV

hex hackney
Moderate
about 1 year ago

ash_authentication has email link auto-click account confirmation vulnerability GSA_kwCzR0hTQS0zOTg4LXE4cTctcDc4N84ABGxC

hex ash_authentication
Moderate
over 1 year ago

Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install` GSA_kwCzR0hTQS1xcm05LWY3NXctaGc0Y84ABEUV

hex ash_authentication
Low
over 1 year ago

Server-side Request Forgery (SSRF) in hackney GSA_kwCzR0hTQS12cTUyLTk5cjktaDVwd84ABETX

hex hackney
High
over 1 year ago

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission GSA_kwCzR0hTQS1wajMzLTc1eDUtMzJqNM4ABBCO

hex rabbit_common
Moderate
over 1 year ago

In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability. GSA_kwCzR0hTQS1oZjU5LTdyd3EtNzg1bc4ABAmD

hex ash_postgres
Moderate
about 2 years ago

OpenID Connect client Atom Exhaustion in provider configuration worker ets table location GSA_kwCzR0hTQS1tajM1LTJyZ2YtY3Y4cM4AA6l2

hex oidcc
Moderate
about 2 years ago

erlang-jose vulnerable to denial of service via large p2c value GSA_kwCzR0hTQS05bWc0LXYzOTItOGo2OM4AA6IR

hex jose
Critical
over 2 years ago

Samly access control vulnerability GSA_kwCzR0hTQS1oM3J3LTc3dzctOTJnZs4AA5NA

hex Samly
Low
over 2 years ago

Pleroma Path Traversal vulnerability GSA_kwCzR0hTQS0yYzI4LW0ybTctbWY1Nc4AA2c9

hex pleroma
High
over 2 years ago

MTProto proxy remote code execution vulnerability GSA_kwCzR0hTQS03MzhxLW1jNzItMnEyMs4AA2X9

hex mtproto_proxy
Moderate
over 2 years ago

Pow Mnesia cache doesn't invalidate all expired keys on startup GSA_kwCzR0hTQS0zY2poLXA2cHctamh2Oc4AA18e

hex pow
High
almost 3 years ago

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c

hex livebook
Moderate
over 3 years ago

phoenix_html allows Cross-site Scripting in HEEx class attributes GSA_kwCzR0hTQS01ZzJoLTl4NXYtNWgzeM4AAw18

hex, npm phoenix_html
High
over 3 years ago

Phoenix before 1.6.14 mishandles check_origin wildcarding GSA_kwCzR0hTQS1wOGY3LTIyZ3EtbTdqOc4AAvXo

hex phoenix
Critical
about 4 years ago

ecdsa-elixir fails to check signatures, vulnerable to message forging GSA_kwCzR0hTQS14eDM2LTZydjQtZ2o4cs4AAqnc

hex ecdsa-elixir
High
about 4 years ago

Pivotal RabbitMQ is vulnerable to a denial of service attack GSA_kwCzR0hTQS1ocmZoLTdqNWYtOGNjcs4AAiwj

hex RabbitMQ
Low
about 4 years ago

Cross-site Scripting in RabbitMQ GSA_kwCzR0hTQS05cGY3LWY0N3EtbXdwcc4AAiwc

hex rabbit_common
Moderate
about 4 years ago

Ejabberd DoS via malformed stanza GSA_kwCzR0hTQS0yaDNxLXY0N2gtZjRyY84AAfwe

hex ejabberd
High
about 4 years ago

Erlang Solutions MongooseIM vulnerable to denial of service (DoS) via crafted XMPP stream GSA_kwCzR0hTQS01djV3LTQ0dzYtcTVods4AAepF

hex MongooseIM
Low
about 4 years ago

puppetlabs-rabbitmq allows local users to obtain sensitive information GSA_kwCzR0hTQS1oM2doLTk3OHItNzQ3d84AATUz

hex puppetlabs-rabbitmq
Critical
about 4 years ago

alchemist.vim vulnerable to remote code execution GSA_kwCzR0hTQS02eDY1LXZxcDctNXI2M84AAR2T

hex alchemist.vim

Filter by Severity

High 57 Moderate 24 Low 15 Medium 11 Critical 6

Filter by Package

bandit 14 hackney 12 cowlib 8 ash 7 plug 5 phoenix 4 absinthe 4 wisp 4 phoenix_storybook 3 ewe 3 hex_core 3 rabbit_common 2 cowboy 2 absinthe_plug 2 pow 2 postgrex 2 ash_authentication 2 plug_cowboy 2 oban_web 2 decimal 2 phoenix_html 2 ash_authentication_phoenix 2 ecto 1 altcha 1 jose 1 livebook 1 Samly 1 ejabberd 1 nodejs 1 pleroma 1 pow_assent 1 puppetlabs-rabbitmq 1 ash_postgres 1 altcha-lib 1 ecdsa-elixir 1 esaml 1 alchemist.vim 1 altcha 1 RabbitMQ 1 phoenix_html 1 altcha-org/altcha 1 paginator 1 oidcc 1 altcha 1 github.com/altcha-org/altcha-lib-go 1 ex_aws_sns 1 xain 1 coherence 1 org.altcha:altcha 1 MongooseIM 1 ex_webrtc 1 mtproto_proxy 1 sweet_xml 1

Filter by Repository

https://github.com/benoitc/hackney 12 https://github.com/mtrudel/bandit 7 https://github.com/ash-project/ash 6 https://github.com/ninenines/cowlib 3 https://github.com/phenixdigital/phoenix_storybook 3 https://github.com/absinthe-graphql/absinthe 2 https://github.com/elixir-ecto/ecto 2 https://github.com/elixir-plug/plug 2 https://github.com/gleam-wisp/wisp 2 https://github.com/hexpm/hex_core 2 https://github.com/oban-bg/oban_web 2 https://github.com/phoenixframework/phoenix 2 https://github.com/phoenixframework/phoenix_html 2 https://github.com/team-alembic/ash_authentication_phoenix 2 https://github.com/team-alembic/ash_authentication 2 https://github.com/tonini/alchemist-server 1 https://github.com/absinthe-graphql/absinthe_plug 1 https://github.com/ash-project/ash_postgres 1 https://github.com/danschultzer/pow 1 https://github.com/dropbox/samly 1 https://github.com/DrunkenShells/Disclosures 1 https://github.com/duffelhq/paginator 1 https://github.com/starkbank/ecdsa-elixir 1 https://github.com/smpallen99/xain 1 https://github.com/elixir-plug/plug_cowboy 1 https://github.com/ericmj/decimal 1 https://github.com/erlef/cowlib 1 https://github.com/erlef/oidcc 1 https://github.com/esl/MongooseIM 1 https://github.com/ex-aws/ex_aws_sns 1 https://github.com/smpallen99/coherence 1 https://github.com/rabbitmq/rabbitmq-server 1 https://github.com/kbrw/sweet_xml 1 https://github.com/kphrx/pleroma 1 https://github.com/livebook-dev/livebook 1 https://github.com/processone/ejabberd 1 https://github.com/ninenines/cowboy 1 https://github.com/pow-auth/pow_assent 1 https://github.com/pow-auth/pow 1 https://github.com/P3ngu1nW/CVE_Request 1