XSS Vulnerability in Hexpm Product by Hexpm
CVE-2026-21618

8.5HIGH

Key Information:

Vendor: Hexpm
Status: Hexpm; Hex.pm
Vendor: CVE Published:; 19 January 2026

What is CVE-2026-21618?

A vulnerability exists in Hexpm that allows for improper neutralization of input during web page generation, leading to potential Cross-Site Scripting (XSS) attacks. This issue affects specific versions of the Hexpm product, particularly in the 'Elixir.HexpmWeb.SharedAuthorizationView' module. It enables attackers to inject malicious scripts into web pages, compromising the security and integrity of web applications that utilize Hexpm. Users are urged to evaluate their versions and update accordingly to mitigate this risk.

Affected Version(s)

hex.pm 2025-10-01 < 2026-01-19

hexpm 617e44c71f1dd9043870205f371d375c5c4d886d

References

https://github.com/hexpm/hexpm/security/advisories/GHSA-6...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-21618.html

https://osv.dev/vulnerability/EEF-CVE-2026-21618

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 19, 2026
Vulnerability Reserved
Jan 1, 2026

Credit

Joud Zakharia / zentrust partners GmbH

Jonatan Männchen / EEF

Eric Meadows-Jönsson / Hex.pm

CVE-2026-21618 Data

JSON