Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-21619
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-27 Feb, 2026 | 17:57
Updated At-27 Feb, 2026 | 19:08
Rejected At-
▼CVE Numbering Authority (CNA)
Unsafe Deserialization of Erlang Terms in hex_core

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

Affected Products
Vendor
hexpm
Product
hex_core
Collection URL
https://github.com
Package Name
hexpm/hex_core
Repo
https://github.com/hexpm/hex_core
CPEs
  • cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*
Modules
  • hex_api
Program Files
  • src/hex_api.erl
Program Routines
  • hex_core:request/4
Default Status
unaffected
Versions
Affected
  • From eb327f8edfe45507351e38cc0805aa12fa647f0b before cdf726095bca85ad2549d146df1e831ae93c2b13 (git)
Vendor
hexpm
Product
hex_core
Collection URL
https://repo.hex.pm
Package Name
hex_core
Repo
https://github.com/hexpm/hex_core
CPEs
  • cpe:2.3:a:hexpm:hex_core:*:*:*:*:*:*:*:*
Modules
  • hex_api
Program Files
  • src/hex_api.erl
Program Routines
  • hex_core:request/4
Default Status
unaffected
Versions
Affected
  • From 0.1.0 before 0.12.1 (semver)
  • From pkg:hex/hex_core@0.1.0 before pkg:hex/hex_core@0.12.1 (purl)
Vendor
hexpm
Product
hex
Collection URL
https://github.com
Package Name
hexpm/hex
Repo
https://github.com/hexpm/hex
CPEs
  • cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*
Modules
  • mix_hex_api
Program Files
  • src/mix_hex_api.erl
Program Routines
  • mix_hex_api:request/4
Default Status
unaffected
Versions
Affected
  • From 314546ac432229518714cc8e3336e916b9da6305 before 636739f3322514e9303ca335fb630696fcbb3c95 (git)
Vendor
hexpm
Product
hex
Package Name
hex
Repo
https://github.com/hexpm/hex
CPEs
  • cpe:2.3:a:hexpm:hex:*:*:*:*:*:*:*:*
Modules
  • mix_hex_api
Program Files
  • src/mix_hex_api.erl
Program Routines
  • mix_hex_api:request/4
Default Status
unaffected
Versions
Affected
  • From 2.3.0 before 2.3.2 (semver)
  • From pkg:otp/hex@2.3.0 before pkg:otp/hex@2.3.2 (purl)
Vendor
erlang
Product
rebar3
Collection URL
https://github.com
Package Name
erlang/rebar3
Repo
https://github.com/erlang/rebar3
CPEs
  • cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*
Modules
  • r3_hex_api
Program Files
  • apps/rebar/src/vendored/r3_hex_api.erl
Program Routines
  • r3_hex_api:request/4
Default Status
unaffected
Versions
Affected
  • From 209c02ec57c2cc3207ee0174c3af3675b8dc8f79 before 1d4478f527e373de0b225951e53115450e0d9b9d (git)
Vendor
erlang
Product
rebar3
Collection URL
https://github.com
Package Name
rebar3
Repo
https://github.com/erlang/rebar3
CPEs
  • cpe:2.3:a:erlang:rebar3:*:*:*:*:*:*:*:*
Modules
  • r3_hex_api
Program Files
  • apps/rebar/src/vendored/r3_hex_api.erl
Program Routines
  • r3_hex_api:request/4
Default Status
unaffected
Versions
Affected
  • From 3.9.1 before 3.27.0 (semver)
  • From pkg:otp/rebar3@3.9.1 before pkg:otp/rebar3@3.27.0 (purl)
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400 Uncontrolled Resource Consumption
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-400
Description: CWE-400 Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
4.02.0LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 2.0
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-586CAPEC-586 Object Injection
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-586
Description: CAPEC-586 Object Injection
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Michael Lubas / Paraxial.ia
remediation developer
Jonatan Männchen / EEF
remediation reviewer
Eric Meadows-Jönsson / Hex.pm
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
vendor-advisory
https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
patch
https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
patch
https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
patch
Hyperlink: https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
Resource:
vendor-advisory
Hyperlink: https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
Resource:
patch
Hyperlink: https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
Resource:
patch
Hyperlink: https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found