Vulnerability in Elixir-plug Plug

CVE-2026-54892

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-…

Affected products

Elixir-plug Plug — versions 1.15.0, 1.16.0, 1.17.0

Weakness classification (CWE)

CWE-407 — Inefficient Algorithmic Complexity

References

6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, vendor-advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)