The Erlang Ecosystem Foundation CNA is a collaborative effort to assign and maintain CVE identifiers within the ecosystem, providing a consistent and transparent process for reporting, documenting, and mitigating security vulnerabilities.

Erlang
Erlang Ecosystem Foundation
Elixir
Gleam
Hex.pm
Nerves
OpenRiak

As a CNA (CVE Numbering Authority), we assign CVE IDs for vulnerabilities in active packages hosted on Hex.pm and in projects under the GitHub organizations listed in our scope. All CVEs are also published to OSV.dev. This CNA is hosted by the Erlang Ecosystem Foundation’s Security Working Group.

CVE Activity

CVE Publications by Quarter 0 9 18 27 36 45 Q1 2025: 0 CVEs Q1 2025 Q2 2025: 2 CVEs Q2 2025 Q3 2025: 5 CVEs Q3 2025 Q4 2025: 2 CVEs Q4 2025 Q1 2026: 13 CVEs Q1 2026 Q2 2026: 13 CVEs published (34% of quarter elapsed) Q2 2026 projected: ~38 CVEs Q2 2026 Q3 2026 forecast: ~42 CVEs (linear trend) Q3 2026

CVEs published by quarter since the CNA was established.

Latest CVEs

CVE-2026-39805 May 01, 2026
CL.CL HTTP request smuggling via duplicate Content-Length in bandit
pkg:hex/bandit
CVE-2026-39804 May 01, 2026
WebSocket permessage-deflate inflate has no output-size cap in bandit
pkg:hex/bandit
CVE-2026-39807 May 01, 2026
Client-supplied URI scheme trusted without transport verification in bandit
pkg:hex/bandit

View All CVEs

Resources

CNA Scope What projects we cover Contact Report a vulnerability CVE Criteria Assignment guidelines Security Policy Disclosure process