Vulnerability in Hexpm Hex.pm

CVE-2026-21622

Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset tokens generated via the "Reset your password" flow do not expire. When a user reque…

EPSS: 0.001 (20.9th percentile) — read the EPSS interpretation.

Affected products

Hexpm Hex.pm — versions 2025-08-01
Hexpm — versions 617e44c71f1dd9043870205f371d375c5c4d886d

Weakness classification (CWE)

CWE-613 — Insufficient Session Expiration

References

github.com/hexpm/hexpm/security/advisories/GHSA-6r94-pvwf-mxqm (vendor-advisory, related)
cna.erlef.org/cves/CVE-2026-21622.html (related)
osv.dev/vulnerability/EEF-CVE-2026-21622 (related)
github.com/hexpm/hexpm/commit/bb0e42091995945deef10556f58d046a52eb7884 (patch)