XSS in Hexpm Hex.pm
CVE-2026-21618
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is ass…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.001 (21.0th percentile) — read the EPSS interpretation.
Affected products
- Hexpm Hex.pm — versions 2025-10-01
- Hexpm — versions 617e44c71f1dd9043870205f371d375c5c4d886d
Weakness classification (CWE)
References
- github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj (vendor-advisory, related)
- cna.erlef.org/cves/CVE-2026-21618.html (related)
- osv.dev/vulnerability/EEF-CVE-2026-21618 (related)
- github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 (patch)