OSV - Open Source Vulnerabilities

GHSA-9mhv-8h52-q7q2

Hex/absinthe

Absinthe: Quadratic fragment-name uniqueness check

3 days ago

Fix available
Severity - 8.7 (High)

GHSA-qf4g-9fqq-mmm7

Hex/absinthe

Absinthe: Unbounded atom creation from parsed directive name

3 days ago

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-8468

Hex/plug
github.com/elixir-plug/plug

Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

3 days ago

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-43970

Hex/cowlib
github.com/ninenines/cowlib

Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

3 days ago

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-8466

Hex/cowboy
github.com/ninenines/cowboy

Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

3 days ago

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-39806

Hex/bandit
github.com/mtrudel/bandit

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

4 days ago

Fix available
Severity - 8.7 (High)

EEF-CVE-2026-39803

Hex/bandit
github.com/mtrudel/bandit

HTTP/1 chunked body reader ignores length cap in bandit

4 days ago

Fix available
Severity - 8.7 (High)

GHSA-rhv4-8758-jx7v

Hex/decimal

Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS

5 days ago

Fix available
Severity - 6.9 (Medium)

EEF-CVE-2026-32687

Hex/postgrex
github.com/elixir-ecto/postgrex.git

SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3

5 days ago

Fix available
Severity - 7.5 (High)

EEF-CVE-2026-43968

Hex/cowlib
github.com/ninenines/cowlib

CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

5 days ago

Fix available
Severity - 6.3 (Medium)

EEF-CVE-2026-7790

Hex/cowlib
github.com/ninenines/cowlib

Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS

5 days ago

Fix available
Severity - 8.7 (High)

EEF-CVE-2026-43969

Hex/cowlib
github.com/ninenines/cowlib

Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

5 days ago

No fix available
Severity - 2.1 (Low)

GHSA-628h-q48j-jr6q

Hex/phoenix

Phoenix: Long-poll NDJSON body splitting causes large memory allocation

08 May

Fix available
Severity - 8.7 (High)

GHSA-c62g-j346-39v5

Hex/absinthe_plug

absinthe_plug Has a Cross-site Scripting vulnerability

08 May

No fix available
Severity - 2.3 (Low)

GHSA-qwfw-ggxw-577c

Hex/ex_webrtc

ex_webrtc client-role handshake is missing DTLS peer fingerprint validation

08 May

Fix available
Severity - 8.7 (High)

EEF-CVE-2026-42793

Hex/absinthe
github.com/absinthe-graphql/absinthe

Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe

08 May

Fix available
Severity - 8.2 (High)