{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21618", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-01-01T03:46:45.933Z", "datePublished": "2026-01-19T14:22:46.770Z", "dateUpdated": "2026-04-06T16:44:10.863Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.HexpmWeb.SharedAuthorizationView'"], "packageName": "hexpm/hexpm", "packageURL": "pkg:github/hexpm/hexpm", "product": "hexpm", "programFiles": ["lib/hexpm_web/views/shared_authorization_view.ex"], "programRoutines": [{"name": "'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3"}], "repo": "https://github.com/hexpm/hexpm.git", "vendor": "hexpm", "versions": [{"lessThan": "c692438684ead90c3bcbfb9ccf4e63c768c668a8", "status": "affected", "version": "617e44c71f1dd9043870205f371d375c5c4d886d", "versionType": "git"}]}, {"defaultStatus": "unaffected", "product": "hex.pm", "vendor": "hexpm", "versions": [{"lessThan": "2026-01-19", "status": "affected", "version": "2025-10-01", "versionType": "date"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*", "versionEndExcluding": "c692438684ead90c3bcbfb9ccf4e63c768c668a8", "versionStartIncluding": "617e44c71f1dd9043870205f371d375c5c4d886d", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Joud Zakharia / zentrust partners GmbH"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Eric Meadows-J\u00f6nsson / Hex.pm"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS).<p> This vulnerability is associated with program files <tt>lib/hexpm_web/views/shared_authorization_view.ex</tt> and program routines <tt>'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3</tt>.</p><p>This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:10.863Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-21618.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-21618"}, {"tags": ["patch"], "url": "https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-site scripting (XSS) in OAuth Device Authorization screen", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T16:16:45.709727Z", "id": "CVE-2026-21618", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:16:57.225Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T16:16:45.709727Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:16:50.302Z"}}], "cna": {"title": "Cross-site scripting (XSS) in OAuth Device Authorization screen", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Joud Zakharia / zentrust partners GmbH"}, {"lang": "en", "type": "remediation developer", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Eric Meadows-J\u00f6nsson / Hex.pm"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"], "repo": "https://github.com/hexpm/hexpm.git", "vendor": "hexpm", "modules": ["'Elixir.HexpmWeb.SharedAuthorizationView'"], "product": "hexpm", "versions": [{"status": "affected", "version": "617e44c71f1dd9043870205f371d375c5c4d886d", "lessThan": "c692438684ead90c3bcbfb9ccf4e63c768c668a8", "versionType": "git"}], "packageURL": "pkg:github/hexpm/hexpm", "packageName": "hexpm/hexpm", "programFiles": ["lib/hexpm_web/views/shared_authorization_view.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3"}]}, {"vendor": "hexpm", "product": "hex.pm", "versions": [{"status": "affected", "version": "2025-10-01", "lessThan": "2026-01-19", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-21618.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21618", "tags": ["related"]}, {"url": "https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS).<p> This vulnerability is associated with program files <tt>lib/hexpm_web/views/shared_authorization_view.ex</tt> and program routines <tt>'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3</tt>.</p><p>This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "c692438684ead90c3bcbfb9ccf4e63c768c668a8", "versionStartIncluding": "617e44c71f1dd9043870205f371d375c5c4d886d"}], "operator": "AND"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:10.863Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21618", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:10.863Z", "dateReserved": "2026-01-01T03:46:45.933Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-01-19T14:22:46.770Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hex:hexpm:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F30BDA9-1780-4D43-9654-3C9548620BE4", "versionEndExcluding": "2026-01-19", "versionStartIncluding": "2025-10-01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19."}, {"lang": "es", "value": "Neutralizaci\u00f3n Inadecuada de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (XSS o 'cross-site scripting') vulnerabilidad en hexpm hexpm/hexpm (m\u00f3dulos 'Elixir.HexpmWeb.SharedAuthorizationView') permite cross-site scripting (XSS). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa lib/hexpm_web/views/shared_authorization_view.ex y las rutinas de programa 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.\n\nEste problema afecta a hexpm: desde 617e44c71f1dd9043870205f371d375c5c4d886d antes de c692438684ead90c3bcbfb9ccf4e63c768c668a8, desde pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d antes de pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: desde 2025-10-01 antes de 2026-01-19."}], "id": "CVE-2026-21618", "lastModified": "2026-04-06T17:17:06.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-01-19T15:15:50.693", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-21618.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"], "url": "https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-21618"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:45:02.012164+00:00", "value": {"mitigation_remediation": ["Upgrade hexpm to a revision after commit c692438684ead90c3bcbfb9ccf4e63c768c668a8 or to a release newer than 2026-01-19.", "If an upgrade is not immediately possible, enforce a strict Content\u2011Security\u2011Policy header that blocks inline scripts, only allows scripts from trusted sources, and removes unsafe-inline and unsafe-eval.", "Monitor OAuth Device Authorization traffic for abnormal query parameters or URLs and block or alert on suspicious requests."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Hex.pm packages and the hex.pm application are impacted. Specifically versions before the commit c692438684ead90c3bcbfb9ccf4e63c768c668a8 or before 2026-01-19 for hex.pm. The affected modules are lib/hexpm_web/views/shared_authorization_view.ex.", "description_and_impact": "Improper Neutralization of Input During Web Page Generation (XSS) in hexpm/hexpm\u2019s SharedAuthorizationView, specifically render_grouped_scopes/3, allows an attacker to inject malicious script. This could run in the victim\u2019s browser, potentially stealing session cookies, tokens, or executing malicious actions in the attacker\u2019s context. The weakness is identified as CWE-79.", "risk_and_exploitability": "CVSS base score of 8.5 indicates high severity. EPSS less than 1% suggests very low likelihood of widespread exploitation. There is no entry in KEV. Attack vector is cross-domain inherited via the OAuth Device Authorization screen; the vulnerability requires a crafted URL or redirect context that invites a user to authenticate with the maliciously crafted device. The flaw is client-side; no additional privileges are required. Because the flaw allows arbitrary JavaScript in the OAuth redirect context, an attacker could hijack an existing user session or inject malicious content."}}}}, "created": "2026-04-15T21:45:14.155329+00:00", "updated": "2026-04-15T21:45:14.155344+00:00", "vendors": []}