CVE-2026-21618

UNKNOWN 0.0

Cross-site scripting (XSS) in OAuth Device Authorization screen

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

15th

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.

CWE	CWE-79
Vendor	hexpm
Product	hexpm
Published	Jan 19, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for hexpm hexpm

Be the first to know when new unknown vulnerabilities affecting hexpm hexpm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

hexpm / hexpm

617e44c71f1dd9043870205f371d375c5c4d886d < c692438684ead90c3bcbfb9ccf4e63c768c668a8

hexpm / hex.pm

2025-10-01 < 2026-01-19

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-21618.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-21618 github.com: https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8

Credits

Joud Zakharia / zentrust partners GmbH Jonatan Männchen / EEF Eric Meadows-Jönsson / Hex.pm