Vulnerability Details CVE-2026-21619
Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.
This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.3%
CVSS Severity
CVSS v3 Score 7.5
References
- https://cna.erlef.org/cves/CVE-2026-21619.html
- https://github.com/erlang/rebar3/commit/1d4478f527e373de0b225951e53115450e0d9b9d
- https://github.com/hexpm/hex/commit/636739f3322514e9303ca335fb630696fcbb3c95
- https://github.com/hexpm/hex_core/commit/cdf726095bca85ad2549d146df1e831ae93c2b13
- https://github.com/hexpm/hex_core/security/advisories/GHSA-hx9w-f2w9-9g96
- https://osv.dev/vulnerability/EEF-CVE-2026-21619
Products affected by CVE-2026-21619
-
cpe:2.3:a:erlang:rebar3:3.10.0
-
cpe:2.3:a:erlang:rebar3:3.11.0
-
cpe:2.3:a:erlang:rebar3:3.11.1
-
cpe:2.3:a:erlang:rebar3:3.12.0
-
cpe:2.3:a:erlang:rebar3:3.13.0
-
cpe:2.3:a:erlang:rebar3:3.13.1
-
cpe:2.3:a:erlang:rebar3:3.13.2
-
cpe:2.3:a:erlang:rebar3:3.14.0
-
cpe:2.3:a:erlang:rebar3:3.14.1
-
cpe:2.3:a:erlang:rebar3:3.14.2
-
cpe:2.3:a:erlang:rebar3:3.14.3
-
cpe:2.3:a:erlang:rebar3:3.14.4
-
cpe:2.3:a:erlang:rebar3:3.15.0
-
cpe:2.3:a:erlang:rebar3:3.15.1
-
cpe:2.3:a:erlang:rebar3:3.15.2
-
cpe:2.3:a:erlang:rebar3:3.16.0
-
cpe:2.3:a:erlang:rebar3:3.16.1
-
cpe:2.3:a:erlang:rebar3:3.17.0
-
cpe:2.3:a:erlang:rebar3:3.18.0
-
cpe:2.3:a:erlang:rebar3:3.19.0
-
cpe:2.3:a:erlang:rebar3:3.20.0
-
cpe:2.3:a:erlang:rebar3:3.21.0
-
cpe:2.3:a:erlang:rebar3:3.22.0
-
cpe:2.3:a:erlang:rebar3:3.22.1
-
cpe:2.3:a:erlang:rebar3:3.23.0
-
cpe:2.3:a:erlang:rebar3:3.24.0
-
cpe:2.3:a:erlang:rebar3:3.25.0
-
cpe:2.3:a:erlang:rebar3:3.25.1
-
cpe:2.3:a:erlang:rebar3:3.26.0
-
cpe:2.3:a:erlang:rebar3:3.9.1
-
cpe:2.3:a:hex:hex:2.3.0
-
cpe:2.3:a:hex:hex:2.3.1
-
cpe:2.3:a:hex:hex_core:0.1.0
-
cpe:2.3:a:hex:hex_core:0.1.1
-
cpe:2.3:a:hex:hex_core:0.10.0
-
cpe:2.3:a:hex:hex_core:0.10.1
-
cpe:2.3:a:hex:hex_core:0.10.2
-
cpe:2.3:a:hex:hex_core:0.10.3
-
cpe:2.3:a:hex:hex_core:0.11.0
-
cpe:2.3:a:hex:hex_core:0.12.0
-
cpe:2.3:a:hex:hex_core:0.2.0
-
cpe:2.3:a:hex:hex_core:0.2.1
-
cpe:2.3:a:hex:hex_core:0.3.0
-
cpe:2.3:a:hex:hex_core:0.4.0
-
cpe:2.3:a:hex:hex_core:0.5.0
-
cpe:2.3:a:hex:hex_core:0.5.1
-
cpe:2.3:a:hex:hex_core:0.6.0
-
cpe:2.3:a:hex:hex_core:0.6.1
-
cpe:2.3:a:hex:hex_core:0.6.2
-
cpe:2.3:a:hex:hex_core:0.6.3
-
cpe:2.3:a:hex:hex_core:0.6.4
-
cpe:2.3:a:hex:hex_core:0.6.5
-
cpe:2.3:a:hex:hex_core:0.6.6
-
cpe:2.3:a:hex:hex_core:0.6.7
-
cpe:2.3:a:hex:hex_core:0.6.8
-
cpe:2.3:a:hex:hex_core:0.6.9
-
cpe:2.3:a:hex:hex_core:0.7.0
-
cpe:2.3:a:hex:hex_core:0.7.1
-
cpe:2.3:a:hex:hex_core:0.8.0
-
cpe:2.3:a:hex:hex_core:0.8.1
-
cpe:2.3:a:hex:hex_core:0.8.2
-
cpe:2.3:a:hex:hex_core:0.8.3
-
cpe:2.3:a:hex:hex_core:0.8.4
-
cpe:2.3:a:hex:hex_core:0.9.0