Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
GHSA-52mm-h59v-f3c7
  • Hex/earmark
 earmark: Stored XSS via unescaped HTML attribute values 23 hours ago
  • No fix available
  • Severity - 4.8 (Medium)
EEF-CVE-2026-48591
  • Hex/earmark
  • github.com/pragdave/earmark
 Stored XSS via unescaped HTML attribute values in earmark yesterday
  • No fix available
  • Severity - 4.8 (Medium)
EEF-CVE-2026-48853
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc 2 days ago
  • Fix available
  • Severity - 9.2 (Critical)
EEF-CVE-2026-53430
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1 2 days ago
  • Fix available
  • Severity - 8.7 (High)
EEF-CVE-2026-48599
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding 2 days ago
  • Fix available
  • Severity - 7.6 (High)
EEF-CVE-2026-48854
  • Hex/grpc
  • github.com/elixir-grpc/grpc
 Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc 2 days ago
  • Fix available
  • Severity - 8.7 (High)
EEF-CVE-2026-49757
  • Hex/ash_authentication
  • github.com/team-alembic/ash_authentication.git
 OAuth2/OIDC account takeover in AshAuthentication via email-based user matching 3 days ago
  • Fix available
  • Severity - 9.2 (Critical)
EEF-CVE-2026-53423
  • Hex/membrane_mp4_plugin
  • github.com/membraneframework/membrane_mp4_plugin
 Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin 11 Jun
  • Fix available
  • Severity - 5.9 (Medium)
GHSA-mrhx-6pw9-q5fh
  • Hex/phoenix_storybook
 PhoenixStorybook has cross-session PubSub topic injection via URL parameter 09 Jun
  • Fix available
  • Severity - 2.3 (Low)
GHSA-833p-95jq-929q
  • Hex/phoenix_storybook
 PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS) 09 Jun
  • Fix available
  • Severity - 8.2 (High)
GHSA-55hg-8qxv-qj4p
  • Hex/phoenix_storybook
 PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 09 Jun
  • Fix available
  • Severity - 9.5 (Critical)
EEF-CVE-2026-43966
  • Hex/cowlib
  • github.com/ninenines/cowlib
 HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2 08 Jun
  • No fix available
  • Severity - 6.3 (Medium)
EEF-CVE-2026-49755
  • Hex/req
  • github.com/wojtekmach/req.git
 Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies 08 Jun
  • Fix available
  • Severity - 8.2 (High)
EEF-CVE-2026-49756
  • Hex/req
  • github.com/wojtekmach/req.git
 Multipart form-data header injection in Req via unescaped name/filename/content_type 08 Jun
  • Fix available
  • Severity - 2.1 (Low)
EEF-CVE-2026-43973
  • Hex/gun
  • github.com/ninenines/gun.git
 gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion 08 Jun
  • Fix available
  • Severity - 8.7 (High)
EEF-CVE-2026-43972
  • Hex/gun
  • github.com/ninenines/gun.git
 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection 08 Jun
  • Fix available
  • Severity - 6.3 (Medium)
Load more...