PatchSiren

elixir-plug CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH elixir-plug CVE published 2026-06-23

CVE-2026-54892

CVE-2026-54892 is a high-severity vulnerability in Plug's nested-parameter decoder. An unauthenticated remote attacker can exploit this issue to cause a denial of service. The vulnerability arises from inefficient algorithmic complexity in the decoder, which can lead to a denial of service when a key contains many bracketed segments. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18. [truncated]

HIGH elixir-plug CVE published 2026-04-27

CVE-2026-32688

CVE-2026-32688 is a high-severity denial-of-service issue in elixir-plug plug_cowboy. In affected versions, HTTP/2 request handling can turn attacker-controlled :scheme values into atoms, permanently consuming entries in the BEAM atom table until the node aborts with system_limit. HTTP/1.1 is not affected by the described path.