OSV - Open Source Vulnerabilities

EEF-CVE-2026-53423

Hex/membrane_mp4_plugin
github.com/membraneframework/membrane_mp4_plugin

Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin

22 hours ago

Fix available
Severity - 5.9 (Medium)

GHSA-mrhx-6pw9-q5fh

Hex/phoenix_storybook

PhoenixStorybook has cross-session PubSub topic injection via URL parameter

2 days ago

Fix available
Severity - 2.3 (Low)

GHSA-833p-95jq-929q

Hex/phoenix_storybook

PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)

2 days ago

Fix available
Severity - 8.2 (High)

GHSA-55hg-8qxv-qj4p

Hex/phoenix_storybook

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

2 days ago

Fix available
Severity - 9.5 (Critical)

EEF-CVE-2026-43966

Hex/cowlib
github.com/ninenines/cowlib

HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2

3 days ago

No fix available
Severity - 6.3 (Medium)

EEF-CVE-2026-49755

Hex/req
github.com/wojtekmach/req.git

Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies

3 days ago

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-49756

Hex/req
github.com/wojtekmach/req.git

Multipart form-data header injection in Req via unescaped name/filename/content_type

3 days ago

Fix available
Severity - 2.1 (Low)

EEF-CVE-2026-43973

Hex/gun
github.com/ninenines/gun.git

gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion

3 days ago

Fix available
Severity - 8.7 (High)

EEF-CVE-2026-43972

Hex/gun
github.com/ninenines/gun.git

gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

3 days ago

Fix available
Severity - 6.3 (Medium)

EEF-CVE-2026-43974

Hex/gun
github.com/ninenines/gun.git

gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM

3 days ago

Fix available
Severity - 8.7 (High)

EEF-CVE-2026-48596

Hex/tesla
github.com/elixir-tesla/tesla.git

CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

02 Jun

Fix available
Severity - 2.1 (Low)

EEF-CVE-2026-48594

Hex/tesla
github.com/elixir-tesla/tesla.git

Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

02 Jun

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-48595

Hex/tesla
github.com/elixir-tesla/tesla.git

Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

02 Jun

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-48597

Hex/tesla
github.com/elixir-tesla/tesla.git

Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

02 Jun

Fix available
Severity - 8.2 (High)

EEF-CVE-2026-48598

Hex/tesla
github.com/elixir-tesla/tesla.git

CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

02 Jun

Fix available
Severity - 2.1 (Low)

EEF-CVE-2026-49753

Hex/mint
github.com/elixir-mint/mint.git

HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing

02 Jun

Fix available
Severity - 6.3 (Medium)