The Erlang Ecosystem Foundation CNA is a collaborative effort to assign and maintain CVE identifiers within the ecosystem, providing a consistent and transparent process for reporting, documenting, and mitigating security vulnerabilities.

Erlang
Erlang Ecosystem Foundation
Elixir
Gleam
Hex.pm
Nerves
OpenRiak

As a CNA (CVE Numbering Authority), we assign CVE IDs for vulnerabilities in active packages hosted on Hex.pm and in projects under the GitHub organizations listed in our scope. All CVEs are also published to OSV.dev. This CNA is hosted by the Erlang Ecosystem Foundation’s Security Working Group.

CVE Activity

CVE Publications by Quarter 0 20 40 60 80 Q1 2025 Q2 2025 Q3 2025 Q4 2025 Q1 2026 Q2 2026 Q3 2026 Actual CVEs Projected / Forecast

CVEs published by quarter since the CNA was established.

Latest CVEs

CVE-2026-47074 May 28, 2026
ex_aws_sns SigningCertURL not validated in verify_message/1
pkg:hex/ex_aws_sns
CVE-2026-42790 May 27, 2026
nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification
pkg:otp/public_key
CVE-2026-42791 May 27, 2026
OCSP responder certificate validity period not checked in public_key
pkg:otp/public_key

View All CVEs

Resources

CNA Scope What projects we cover Contact Report a vulnerability CVE Criteria Assignment guidelines Security Policy Disclosure process Data Licensing License information Common Weaknesses CWE distribution Maintainer Process How coordinated disclosure works Coordinator Process Volunteer to handle reports