Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Hex Hexpm
cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*
|
2025-10-01
|
2026-01-19
|
References 4
https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://cna.erlef.org/cves/CVE-2026-21618.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://osv.dev/vulnerability/EEF-CVE-2026-21618
6b3ad84c-e1a6-4bf7-a703-f496b71e49db