CVE-2026-21618

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cna.erlef.org/cves/CVE-2026-21618.html
https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8	Patch
https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj	Mitigation Vendor Advisory
https://osv.dev/vulnerability/EEF-CVE-2026-21618

Configurations

Configuration 1 (hide)

cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*

History

06 Apr 2026, 17:17

Type	Values Removed	Values Added
References		() https://cna.erlef.org/cves/CVE-2026-21618.html - () https://osv.dev/vulnerability/EEF-CVE-2026-21618 -

25 Mar 2026, 14:27

Type	Values Removed	Values Added
References	~~() https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 -~~	() https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 - Patch
References	~~() https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj -~~	() https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj - Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Hex Hex hexpm
CPE		cpe:2.3:a:hex:hexpm::::::::
Summary		(es) Neutralización Inadecuada de la Entrada Durante la Generación de Páginas Web (XSS o 'cross-site scripting') vulnerabilidad en hexpm hexpm/hexpm (módulos 'Elixir.HexpmWeb.SharedAuthorizationView') permite cross-site scripting (XSS). Esta vulnerabilidad está asociada con los archivos de programa lib/hexpm_web/views/shared_authorization_view.ex y las rutinas de programa 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. Este problema afecta a hexpm: desde 617e44c71f1dd9043870205f371d375c5c4d886d antes de c692438684ead90c3bcbfb9ccf4e63c768c668a8, desde pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d antes de pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: desde 2025-10-01 antes de 2026-01-19.

19 Jan 2026, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-19 15:15

Updated : 2026-04-06 17:17

NVD link : CVE-2026-21618

Mitre link : CVE-2026-21618

CVE.ORG link : CVE-2026-21618

JSON object : View

Products Affected

hex

hexpm

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10