CVE-2026-23939

UNKNOWN 0.0

Path Traversal in Local File Store Backend

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

23th

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.

CWE	CWE-22
Vendor	hexpm
Product	hexpm
Published	Feb 26, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for hexpm hexpm

Be the first to know when new unknown vulnerabilities affecting hexpm hexpm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

hexpm / hexpm

931ee0ed46fa89218e0400a4f6e6d15f96406050 < 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/hexpm/hexpm/security/advisories/GHSA-42mv-r64p-4869 cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-23939.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-23939 github.com: https://github.com/hexpm/hexpm/commit/5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0

Credits

Michael Lubas / Paraxial.io Jonatan Männchen / EEF Eric Meadows-Jönsson / Hex.pm