CVE-2026-21619

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-21619

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21619.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21619

Aliases

Downstream

UBUNTU-CVE-2026-21619

Published

2026-02-27T18:16:11.373Z

Modified

2026-03-03T01:22:47.823278Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hexcore (hexapi modules), hexpm hex (mixhexapi modules), erlang rebar3 (r3hexapi modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hexapi.erl, src/mixhexapi.erl, apps/rebar/src/vendored/r3hexapi.erl and program routines hexcore:request/4, mixhexapi:request/4, r3hexapi:request/4.

This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

References

Affected packages

Git / github.com/erlang/rebar3

Affected ranges

Type: GIT
Repo: https://github.com/erlang/rebar3
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1d4478f527e373de0b225951e53115450e0d9b9d

Introduced

df53ad18ff5330660bd102d3a4071cb0962c8dda

Fixed

619df55d9dab109cbd1b5d9ed1d45c93f5450e24

Affected versions

3.*

3.11.0

3.11.1

3.12.0

3.13.0

3.14.0

3.14.0-rc1

3.14.0-rc2

3.14.1

3.14.2

3.14.4

3.15.0

3.15.1

3.16.0

3.16.1

3.17.0

3.18.0

3.19.0

3.20.0

3.21.0

3.22.0

3.22.1

3.23.0

3.24.0

3.25.0

3.25.1

3.26.0

3.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21619.json"

Git / github.com/hexpm/hex

Affected ranges

Type: GIT
Repo: https://github.com/hexpm/hex
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

636739f3322514e9303ca335fb630696fcbb3c95

Introduced

62c88751feefc7a27b14b99f7fa405a48daf2521

Fixed

520a3838751eefcb27900ba67fddd1864c055a81

Introduced

e99c51a8c3dbe91618a7835505b27dbc2dbcee2d

Fixed

bd6569fd9c716341e140887e0e71d340060107bd

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.10.0

v0.10.2

v0.10.3

v0.10.4

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.11.5

v0.12.0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v2.*

v2.3.0

v2.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21619.json"

Git / github.com/hexpm/hex_core

Affected ranges

Type: GIT
Repo: https://github.com/hexpm/hex_core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cdf726095bca85ad2549d146df1e831ae93c2b13

Introduced

a2c868584104380dcd0d712594417f92179285e8

Fixed

0573013a21a676fb85a0e30db49f81c44ec8f97d

Affected versions

v0.*

v0.1.0

v0.1.1

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.11.0

v0.12.0

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.6.1

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21619.json"