What is CVE-2026-32148?

CVE-2026-32148 is a medium-severity vulnerability in Hex, classified under Improper Validation of Integrity Check Value. CVSS score: 5.9/10. Published 2026-04-30.

How severe is CVE-2026-32148?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Hex

CVE-2026-32148

Insufficient Verification of Data Authenticity vulnerability in hexpm hex (Hex.RemoteConverger module) allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ens…

EPSS: 0.000 (5.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Hex
Hexpm Hex — versions 0.16.0, e01576f28c64af9fae6eb17e2dad30f6efcb303c

Weakness classification (CWE)

References

6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, Exploit, vendor-advisory, Patch, Vendor Advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, Third Party Advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, Exploit, Third Party Advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (Patch, patch)

Frequently asked questions

What is CVE-2026-32148?: CVE-2026-32148 is a medium-severity vulnerability in Hex, classified under Improper Validation of Integrity Check Value. CVSS score: 5.9/10. Published 2026-04-30.
How severe is CVE-2026-32148?: Medium severity. CVSS v3 base score is 5.9 out of 10.