CVE-2026-23939

Name of the Vulnerable Software and Affected Versions hexpm versions prior to 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0

Description A path traversal issue exists in hexpm’s Local Storage backend, impacting self-hosted deployments. The issue resides within the 'Elixir.Hexpm.Store.Local' module and affects the following program routines: get/3, put/4, delete/2, and delete/many/2, specifically within the file lib/hexpm/store/local.ex. This does not affect the hex.pm service itself. The issue allows relative path traversal.

Recommendations Update hexpm to version 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 or later.