Since our last CNA write-up the
Erlang Ecosystem Foundation CNA has been busy:
roughly two dozen CVEs in the last month, several in packages almost every
Elixir web app depends on. Below they're grouped by package and ordered by
severity (CVSS), worst first, with the version to upgrade to. If you do one
thing, run mix hex.audit.
ueberauth_apple
-
CVE-2026-55954 CRITICAL 9.1: the JWT signature is checked but ID-token claims aren't, so any Apple-signed token bearing a victim's identifier can be replayed for account takeover.
Fix Upgrade
ueberauth_appleto 0.6.2. Patch this today if you offer Sign in with Apple.
phoenix
-
CVE-2026-56811 HIGH 8.7: no per-connection channel-join limit, process-exhaustion DoS from a single unauthenticated connection.
-
CVE-2026-56812 MEDIUM 6.3: Presence client crashes on prototype-key collisions in
syncState/syncDiff.Fix Upgrade
phoenixto 1.8.9 (or 1.7.24 / 1.6.17 / 1.5.15 on older branches).
mint
-
CVE-2026-56810 HIGH 8.7: buffers an entire chunked response chunk in memory.
-
CVE-2026-58229 HIGH 8.2: unbounded HTTP/1 response-header accumulation, memory-exhaustion DoS.
-
CVE-2026-59246 MEDIUM 6.3: zero-length HTTP/2 CONTINUATION frames slip past the header byte-size cap.
Fix Upgrade
mintto 1.9.2. Mint sits under Finch, Req and friends, so you may pull it in transitively.
hpax
-
CVE-2026-58226 HIGH 8.7: unbounded HPACK integer decoding, unauthenticated DoS.
Fix Upgrade
hpaxto 1.0.4. Transitive via Bandit and Mint.
ssl (Erlang/OTP)
-
CVE-2026-55950 HIGH 8.7: DTLS listener crash via a race in
dtls_packet_demux. -
CVE-2026-55952 HIGH 8.2: TLS 1.3 server DoS via a malformed ClientHello pre-shared-key extension.
-
CVE-2026-54891 MEDIUM 6.3: plaintext
APPLICATION_DATAinjected during the TLS handshake, delivered post-handshake. -
CVE-2026-54887 MEDIUM 6.3: DTLS cookie bypass during the startup window.
Fix Upgrade Erlang/OTP to 29.0.3, 28.5.0.3, or 27.3.4.14 (whichever matches your branch). An OTP upgrade, not a Hex bump.
mdex
-
CVE-2026-53426 HIGH: atom-table exhaustion DoS via JSON
parse_document. -
CVE-2026-54889 MEDIUM:
javascript:injection (XSS) in Quill Delta output. -
CVE-2026-54888 MEDIUM: uncontrolled recursion over deeply nested Markdown crashes the BEAM.
-
CVE-2026-53429 MEDIUM: native memory leak in escaped-tag rendering.
-
CVE-2026-53428 MEDIUM: unbounded allocation in
highlight_linesrange expansion. -
CVE-2026-53427 LOW: XSS via an unescaped
highlight_lines_classcode-fence attribute.Fix Upgrade
mdexto 0.13.x (we run 0.13.3). We hit these on this very site, see the Hex 2.5 write-up.
plug
-
CVE-2026-56814 MEDIUM 6.9: multipart part headers aren't charged to the
:lengthlimit, so uploads can create unbounded temp files. -
CVE-2026-56813 LOW 2.1: cookie attribute injection in
Plug.Conn.Cookies.encode/2.Fix Upgrade
plugto 1.20.3 (or 1.19.5 / 1.18.5 / 1.17.4 / 1.16.6 on older branches).
ssh (Erlang/OTP)
-
CVE-2026-54886 MEDIUM 5.3: SFTP server DoS via an extended channel-data infinite loop.
-
CVE-2026-53422 LOW 2.3: SFTP
REALPATHpath-existence oracle allows enumeration outside the configured root.Fix The same OTP releases as above: 29.0.3 / 28.5.0.3 / 27.3.4.14.
phoenix_live_view
-
CVE-2026-58228 MEDIUM 5.1: scheme-validation bypass in
Phoenix.LiveView.Utils, XSS via<.link>.Fix Upgrade
phoenix_live_viewto 1.2.7.
postgrex
-
CVE-2026-58225 LOW 2.1: SQL injection via an unescaped dollar-quote in notification reconnect replay, causing DoS.
Fix Upgrade
postgrexto 0.22.3.
swoosh
-
CVE-2026-54893 LOW 2.1: email-derived URL path injection in the Microsoft Graph adapter, only if you derive the sender address from untrusted input.
Fix Upgrade
swooshto 1.26.3.
What to do
- Run
mix hex.audit. On Hex 2.5 it also flags advisories inline duringmix deps.getand fails CI on a vulnerable lockfile (see the Hex 2.5 write-up). - Patch worst first: the CRITICAL
ueberauth_appleaccount-takeover, then the HIGH memory-exhaustion DoS in Phoenix, Mint, hpax and OTPssl. Update Erlang/OTP for thesslandsshones. - Watch the EEF CNA advisory list.
Most of these are denial-of-service via unbounded memory, but the Apple auth bypass is a real account takeover and the LiveView issue is an XSS, so don't sit on those. The reassuring part: the ecosystem catalogues this properly now and the tooling surfaces it, so staying current is mostly a matter of running the audit and not ignoring it.