Jzakharia1

**Name of the Vulnerable Software and Affected Versions** hexpm versions prior to 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 hex.pm versions prior to 2026-03-10 **Description** An uncontrolled resource consumption issue in hexpm allows for excessive allocation. Publishing an oversized package can cause Hex.pm to exhaust memory during the extraction of the uploaded package’s tarball. This can terminate the affected application instance, leading to a denial of service for package publishing and potentially other package-processing functionalities. **Recommendations** Versions prior to 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 should be updated. Versions prior to 2026-03-10 should be updated.

**Name of the Vulnerable Software and Affected Versions** hexpm versions 617e44c71f1dd9043870205f371d375c5c4d886d through c692438684ead90c3bcbfb9ccf4e63c768c668a8 hex.pm versions prior to 2026-01-19 **Description** An issue exists in hexpm related to improper neutralization of input during web page generation, leading to a Cross-Site Scripting (XSS) condition. The issue is present in the 'Elixir.HexpmWeb.SharedAuthorizationView' modules, specifically within the `render grouped scopes/3` routine and the 'lib/hexpm web/views/shared authorization view.ex' file. The vulnerability allows for the execution of malicious scripts through crafted input. **Recommendations** Update hexpm from version 617e44c71f1dd9043870205f371d375c5c4d886d to version c692438684ead90c3bcbfb9ccf4e63c768c668a8. Update hex.pm to a version after 2026-01-19.