CVE-2026-21619
Published: Feb 27, 2026
Modified: May 27, 2026
Description
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
| Vendor | Product | Versions |
|---|---|---|
hexpm | hex_core | affected eb327f8edfe45507351e38cc0805aa12fa647f0b - < cdf726095bca85ad2549d146df1e831ae93c2b13 |
hexpm | hex_core | affected 0.1.0 - < 0.12.1 |
hexpm | hex | affected 314546ac432229518714cc8e3336e916b9da6305 - < 636739f3322514e9303ca335fb630696fcbb3c95 |
hexpm | hex | affected 2.3.0 - < 2.3.2 |
erlang | rebar3 | affected 209c02ec57c2cc3207ee0174c3af3675b8dc8f79 - < 1d4478f527e373de0b225951e53115450e0d9b9d |
erlang | rebar3 | affected 3.9.1 - < 3.27.0 |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now