CVE-2026-54892 is a high-severity vulnerability in Plug's nested-parameter decoder. An unauthenticated remote attacker can exploit this issue to cause a denial of service. The vulnerability arises from inefficient algorithmic complexity in the decoder, which can lead to a denial of service when a key contains many bracketed segments. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18. [truncated]
CVE-2026-32688 is a high-severity denial-of-service issue in elixir-plug plug_cowboy. In affected versions, HTTP/2 request handling can turn attacker-controlled :scheme values into atoms, permanently consuming entries in the BEAM atom table until the node aborts with system_limit. HTTP/1.1 is not affected by the described path.