Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-23939
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-26 Feb, 2026 | 19:41
Updated At-27 Feb, 2026 | 03:57
Rejected At-
▼CVE Numbering Authority (CNA)
Path Traversal in Local File Store Backend

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.

Affected Products
Vendor
hexpm
Product
hexpm
Collection URL
https://github.com
Package Name
hexpm/hexpm
Repo
https://github.com/hexpm/hexpm.git
CPEs
  • cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Hexpm.Store.Local'
Program Files
  • lib/hexpm/store/local.ex
Program Routines
  • 'Elixir.Hexpm.Store.Local':get/3
  • 'Elixir.Hexpm.Store.Local':put/4
  • 'Elixir.Hexpm.Store.Local':delete/2
  • 'Elixir.Hexpm.Store.Local':delete_many/2
Default Status
unaffected
Versions
Affected
  • From 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 (git)
  • From pkg:github/hexpm/hexpm@931ee0ed46fa89218e0400a4f6e6d15f96406050 before pkg:github/hexpm/hexpm@5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 (purl)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-139CAPEC-139 Relative Path Traversal
CAPEC ID: CAPEC-139
Description: CAPEC-139 Relative Path Traversal
Solutions
Configurations
Workarounds

* Avoid the local file store backend in any exposed environment. * Restrict network access to the registry when using the local backend. * Production deployments should use object storage (e.g., S3-compatible backends) instead of the local filesystem store.

Exploits
Credits
finder
Michael Lubas / Paraxial.io
remediation developer
Jonatan Männchen / EEF
remediation reviewer
Eric Meadows-Jönsson / Hex.pm
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869
vendor-advisory
https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0
patch
Hyperlink: https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869
Resource:
vendor-advisory
Hyperlink: https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found