CVE-2026-21619 Hexpm — Exploit & Vulnerability Details LOW

Parameter	Value
CVSS	2.0 (LOW)
Affected Versions	0.1.0 — 3.27.0
Fixed In	3.27.0
Type	CWE-502 (Deserialization of Untrusted Data), CWE-400 (Uncontrolled Resource Consumption)
Vendor	Hexpm
Public PoC	No

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

Low

Basic privileges needed

User Interaction

Active

User action required

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-400 Uncontrolled Resource Consumption

Vulnerable Products 5

Configuration	From (including)	Up to (excluding)
Erlang Rebar3 cpe:2.3:a:erlang:rebar3::::::::	`3.9.1`	`3.27.0`
Hex Hex cpe:2.3:a:hex:hex::::::::	`2.3.0`	`2.3.2`
Hex Hex_Core cpe:2.3:a:hex:hex_core::::::::	`0.1.0`	`0.12.1`
Hexpm Hex_Core cpe:2.3:a:hexpm:hex_core::::::::	`0.1.0`	`0.12.1`
Hexpm Hex cpe:2.3:a:hexpm:hex::::::::	`2.3.0`	`2.3.2`