CVE-2026-21618

Cross-site scripting (XSS) in OAuth Device Authorization screen

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CAPEC

• CAPEC-63 — CAPEC-63 Cross-Site Scripting (XSS)

CVSS 4.0 Score

8.5

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Vulnerability description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS).

This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3.

This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19.

Affected

pkg:github/hexpm/hexpm

Module	Source File	Routine
HexpmWeb.SharedAuthorizationView	lib/hexpm_web/views/shared_authorization_view.ex	HexpmWeb.SharedAuthorizationView.render_grouped_scopes/3

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	617e44c71f1d	< c692438684ea

hexpm / hex.pm

Status	Type	Version	Changes / Fixed in
affected	date	2025-10-01	< 2026-01-19

References

• https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj vendor-advisory
• https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 patch

Credits

• Finder: Joud Zakharia / zentrust partners GmbH
• Remediation developer: Jonatan Männchen / EEF
• Remediation reviewer: Eric Meadows-Jönsson / Hex.pm

CVE record as JSON:  GET /cves/CVE-2026-21618.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-21618.json