Browse all 7 CVE security advisories affecting hexpm. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Hexpm serves as the package manager for the Elixir language ecosystem, enabling developers to distribute and manage dependencies. Historically, vulnerabilities in hexpm-related packages have commonly included remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from insecure input validation or improper access controls. While no major security incidents have been widely documented, the 7 CVEs on record highlight potential risks in dependency integrity and package verification. The platform's security relies on community vigilance and hexpm's infrastructure safeguards, though the distributed nature of package maintenance remains a challenge for consistent security oversight across the ecosystem.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-23940 | Denial of Service via Oversized Package Upload — hexpmCWE-400 | 7.5 | - | 2026-03-13 |
| CVE-2026-21622 | Password Reset Tokens Do Not Expire — hexpmCWE-613 | 8.1 | - | 2026-03-05 |
| CVE-2026-21621 | Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access — hexpmCWE-863 | 8.8 | - | 2026-03-05 |
| CVE-2026-23939 | Path Traversal in Local File Store Backend — hexpmCWE-22 | 9.1AI | CriticalAI | 2026-02-26 |
| CVE-2026-21618 | Cross-site scripting (XSS) in OAuth Device Authorization screen — hexpmCWE-79 | 6.1AI | MediumAI | 2026-01-19 |
This page lists every published CVE security advisory associated with hexpm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.