EEF-CVE-2026-23939

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-23939.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-23939.json

JSON Data

https://api.test.osv.dev/v1/vulns/EEF-CVE-2026-23939

Aliases

CVE-2026-23939
GHSA-42mv-r64p-4869

Published

2026-02-26T19:41:18.762Z

Modified

2026-02-27T03:57:08.485Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Path Traversal in Local File Store Backend

Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.

This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.

This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.

Database specific

{
    "capec_ids": [
        "CAPEC-139"
    ],
    "cpe_ids": [
        "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Credits

- Michael Lubas / Paraxial.io - FINDER
- Jonatan Männchen / EEF - REMEDIATION_DEVELOPER
- Eric Meadows-Jönsson / Hex.pm - REMEDIATION_REVIEWER

Affected packages

Git / github.com/hexpm/hexpm.git

Affected ranges

Type: GIT
Repo: https://github.com/hexpm/hexpm.git
Events: Introduced

931ee0ed46fa89218e0400a4f6e6d15f96406050

Fixed

5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-23939.json"