Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
EEF-CVE-2026-55736
  • Hex/ash
  • github.com/ash-project/ash
 Private action arguments can be set by user input in Ash yesterday
  • Fix available
  • Severity - 5.9 (Medium)
EEF-CVE-2026-54892
  • Hex/plug
  • github.com/elixir-plug/plug
 Plug: quadratic-time decoding of nested query/body parameters enables denial of service 2 days ago
  • Fix available
  • Severity - 8.7 (High)
GHSA-52mm-h59v-f3c7
  • Hex/earmark
 earmark: Stored XSS via unescaped HTML attribute values 17 Jun
  • No fix available
  • Severity - 4.8 (Medium)
EEF-CVE-2026-48591
  • Hex/earmark
  • github.com/pragdave/earmark
 Stored XSS via unescaped HTML attribute values in earmark 17 Jun
  • No fix available
  • Severity - 4.8 (Medium)
EEF-CVE-2026-48853
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 15 Jun
  • Fix available
  • Severity - 9.2 (Critical)
EEF-CVE-2026-53430
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1 15 Jun
  • Fix available
  • Severity - 8.7 (High)
EEF-CVE-2026-48599
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding 15 Jun
  • Fix available
  • Severity - 7.6 (High)
EEF-CVE-2026-48854
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc 15 Jun
  • Fix available
  • Severity - 8.7 (High)
EEF-CVE-2026-49757
  • Hex/ash_authentication
  • github.com/team-alembic/ash_authentication.git
 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching 15 Jun
  • Fix available
  • Severity - 9.2 (Critical)
EEF-CVE-2026-53423
  • Hex/membrane_mp4_plugin
  • github.com/membraneframework/membrane_mp4_plugin
 Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin 11 Jun
  • Fix available
  • Severity - 5.9 (Medium)
GHSA-mrhx-6pw9-q5fh
  • Hex/phoenix_storybook
 PhoenixStorybook has cross-session PubSub topic injection via URL parameter 09 Jun
  • Fix available
  • Severity - 2.3 (Low)
GHSA-833p-95jq-929q
  • Hex/phoenix_storybook
 PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS) 09 Jun
  • Fix available
  • Severity - 8.2 (High)
GHSA-55hg-8qxv-qj4p
  • Hex/phoenix_storybook
 PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 09 Jun
  • Fix available
  • Severity - 9.5 (Critical)
EEF-CVE-2026-43966
  • Hex/cowlib
  • github.com/ninenines/cowlib
 HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2 08 Jun
  • No fix available
  • Severity - 6.3 (Medium)
EEF-CVE-2026-49755
  • Hex/req
  • github.com/wojtekmach/req.git
 Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies 08 Jun
  • Fix available
  • Severity - 8.2 (High)
EEF-CVE-2026-49756
  • Hex/req
  • github.com/wojtekmach/req.git
 Multipart form-data header injection in Req via unescaped name/filename/content_type 08 Jun
  • Fix available
  • Severity - 2.1 (Low)
Load more...