Path Traversal Vulnerability in Hexpm Product by Hexpm Vendor
CVE-2026-23939

6.9MEDIUM

Key Information:

Vendor: Hexpm
Status: Hexpm
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-23939?

A vulnerability exists in the Hexpm product, specifically in the Elixir.Hexpm.Store.Local module, which permits relative path traversal. This can lead to unauthorized access to files and directories outside of the intended storage scope. Affected are self-hosted installations using the Local Storage backend. This issue is not present in the hosted service at hex.pm. Key program files and routines including lib/hexpm/store/local.ex and related methods such as 'get/3', 'put/4', 'delete/2', and 'delete_many/2' are implicated. Users of Hexpm are advised to evaluate their deployment and apply the necessary updates.

Affected Version(s)

hexpm 931ee0ed46fa89218e0400a4f6e6d15f96406050 < 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0

References

https://github.com/hexpm/hexpm/security/advisories/GHSA-4...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-23939.html

https://osv.dev/vulnerability/EEF-CVE-2026-23939

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Michael Lubas / Paraxial.io

Jonatan Männchen / EEF

Eric Meadows-Jönsson / Hex.pm

CVE-2026-23939 Data

JSON