Summary Publication CVE ID Published Date Last Updated
TFTP Path Traversal
  • pkg:github/erlang/otp
  • pkg:otp/inets
  • pkg:otp/tftp
 CVE-2026-21620 20 February 2026 21 February 2026
Cross-site scripting (XSS) in OAuth Device Authorization screen
  • pkg:github/hexpm/hexpm
  • hexpm / hex.pm
 CVE-2026-21618 19 January 2026 21 January 2026
Authorization bypass when bypass policy condition evaluates to true
  • pkg:hex/ash
  • pkg:github/ash-project/ash
 CVE-2025-48044 17 October 2025 20 February 2026
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
  • pkg:hex/ash
  • pkg:github/ash-project/ash
 CVE-2025-48043 10 October 2025 20 February 2026
Before action hooks may execute in certain scenarios despite a request being forbidden
  • pkg:hex/ash
  • pkg:github/ash-project/ash
 CVE-2025-48042 07 September 2025 20 February 2026
SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
  • pkg:otp/ssh
  • pkg:github/erlang/otp
 CVE-2025-48041 11 September 2025 20 February 2026
Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
  • pkg:otp/ssh
  • pkg:github/erlang/otp
 CVE-2025-48040 11 September 2025 20 February 2026
Unverified Paths can Cause Excessive Use of System Resources
  • pkg:otp/ssh
  • pkg:github/erlang/otp
 CVE-2025-48039 11 September 2025 20 February 2026
Unverified File Handles can Cause Excessive Use of System Resources
  • pkg:otp/ssh
  • pkg:github/erlang/otp
 CVE-2025-48038 11 September 2025 20 February 2026
Missing Session Revocation on Logout in ash_authentication_phoenix
  • pkg:hex/ash_authentication_phoenix
  • pkg:github/team-alembic/ash_authentication_phoenix
 CVE-2025-4754 17 June 2025 20 February 2026
Absolute path traversal in zip:unzip/1,2
  • pkg:otp/stdlib
  • pkg:github/erlang/otp
 CVE-2025-4748 16 June 2025 20 February 2026

CVE’s can also be requested as a JSON: GET /cves/index.json

OSV records can also be requested as a JSON: GET /osv/all.json