Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    8 vulnerabilities found for plug by elixir-plug

    CVE-2026-56813 (GCVE-0-2026-56813)

    Vulnerability from nvd – Published: 2026-07-10 12:51 – Updated: 2026-07-10 14:45
    VLAI
    Title
    Cookie attribute injection in Plug.Conn.Cookies.encode/2
    Summary
    Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented. This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-141 - Improper Neutralization of Parameter/Argument Delimiters
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 0.1.0 , < 1.16.6 (semver)
    Affected: 1.17.0 , < 1.17.4 (semver)
    Affected: 1.18.0 , < 1.18.5 (semver)
    Affected: 1.19.0 , < 1.19.5 (semver)
    Affected: 1.20.0 , < 1.20.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: f26876aa67aaeb38e616638aa3efbcc2fe2906a5 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich José Valim Jonatan Männchen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56813",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:43:36.298825Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:43:45.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Cookies\u0027",
                "\u0027Elixir.Plug.Conn\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/cookies.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.16.6",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.4",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.5",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.5",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.3",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Cookies\u0027",
                "\u0027Elixir.Plug.Conn\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/cookies.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3f00dfad4e20ba88472e315c90a25742bf178f8e",
                      "status": "unaffected"
                    },
                    {
                      "at": "a6d1248659022749869963fd302687165ecf8c8b",
                      "status": "unaffected"
                    },
                    {
                      "at": "4167981747fe9ce75f374b94a28861ae950ea992",
                      "status": "unaffected"
                    },
                    {
                      "at": "149d9ed68fee0b4f77efd1e835ce5d785856697b",
                      "status": "unaffected"
                    },
                    {
                      "at": "eceb8315ce9a31ef784943a95a8624ebd1bc7e06",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "f26876aa67aaeb38e616638aa3efbcc2fe2906a5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.6",
                      "versionStartIncluding": "0.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.4",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.5",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.5",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.20.3",
                      "versionStartIncluding": "1.20.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e function in \u003ctt\u003elib/plug/conn/cookies.ex\u003c/tt\u003e builds the \u003ctt\u003eSet-Cookie\u003c/tt\u003e response header by interpolating the cookie value and its \u003ctt\u003epath\u003c/tt\u003e, \u003ctt\u003edomain\u003c/tt\u003e, \u003ctt\u003esame_site\u003c/tt\u003e, and \u003ctt\u003eextra\u003c/tt\u003e attributes directly into the header without neutralizing the \u003ctt\u003e;\u003c/tt\u003e delimiter that separates cookie attributes.\u003c/p\u003e\u003cp\u003eAn application that places attacker-controlled data into a cookie value or attribute (for example via \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e when reflecting a username or preference) lets an attacker inject a \u003ctt\u003e;\u003c/tt\u003e to append or override cookie attributes (such as \u003ctt\u003eDomain\u003c/tt\u003e and \u003ctt\u003ePath\u003c/tt\u003e scope, or dropping the \u003ctt\u003eSecure\u003c/tt\u003e and \u003ctt\u003eHttpOnly\u003c/tt\u003e flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation, so HTTP response splitting is not possible, but attribute injection through \u003ctt\u003e;\u003c/tt\u003e is not prevented.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\n\nThe Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the \u0027;\u0027 delimiter that separates cookie attributes.\n\nAn application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a \u0027;\u0027 to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through \u0027;\u0027 is not prevented.\n\nThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-141",
                  "description": "CWE-141 Improper Neutralization of Parameter/Argument Delimiters",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:45:34.174Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-wpmj-jh88-rpgm"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-56813.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-56813"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/c6575800b2c4e15af1904df87522ca8a23da020c"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cookie attribute injection in Plug.Conn.Cookies.encode/2",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate or reject the \u003ctt\u003e;\u003c/tt\u003e delimiter in any untrusted data before passing it as a cookie value or attribute to \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e or \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e. Carriage return, line feed, and null bytes are already rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation.\u003c/p\u003e"
                }
              ],
              "value": "Validate or reject the \u0027;\u0027 delimiter in any untrusted data before passing it as a cookie value or attribute to Plug.Conn.put_resp_cookie/4 or Plug.Conn.Cookies.encode/2. Carriage return, line feed, and null bytes are already rejected by Plug.Conn header validation."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-56813",
        "datePublished": "2026-07-10T12:51:08.758Z",
        "dateReserved": "2026-06-23T12:29:02.507Z",
        "dateUpdated": "2026-07-10T14:45:34.174Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56814 (GCVE-0-2026-56814)

    Vulnerability from nvd – Published: 2026-07-10 11:14 – Updated: 2026-07-10 14:41
    VLAI
    Title
    Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)
    Summary
    Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP. This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4. This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.4.0 , < 1.16.6 (semver)
    Affected: 1.17.0 , < 1.17.4 (semver)
    Affected: 1.18.0 , < 1.18.5 (semver)
    Affected: 1.19.0 , < 1.19.5 (semver)
    Affected: 1.20.0 , < 1.20.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: c52b2f32c90bccd718202bafccb5f95594e30183 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Jonatan Männchen José Valim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:03:11.744626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:03:28.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/parsers/multipart.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.16.6",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.4",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.5",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.5",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.3",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/parsers/multipart.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "981597d3a4271ede64373c7a731702a42c500dd6",
                      "status": "unaffected"
                    },
                    {
                      "at": "56edca2ce35fe5589cd581644d8a4493fa5f484e",
                      "status": "unaffected"
                    },
                    {
                      "at": "0ee8afcc61466dc5f7a8f048d0632c899165b81f",
                      "status": "unaffected"
                    },
                    {
                      "at": "cae36053350e5215a4e0ca33cd130af9c5fc6364",
                      "status": "unaffected"
                    },
                    {
                      "at": "f7effaed811c00b5f5bf817936bfd9c5df27b7dc",
                      "status": "unaffected"
                    },
                    {
                      "at": "df97d3f17f808a9916a7700a701fb85314559d56",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "c52b2f32c90bccd718202bafccb5f95594e30183",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.6",
                      "versionStartIncluding": "1.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.4",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.5",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.5",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.20.3",
                      "versionStartIncluding": "1.20.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003ctt\u003ePlug.Parsers.MULTIPART\u003c/tt\u003e, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its \u003ctt\u003e:length\u003c/tt\u003e budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the \u003ctt\u003e:length\u003c/tt\u003e limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\u003c/p\u003e\u003cp\u003eBecause every part whose \u003ctt\u003eContent-Disposition\u003c/tt\u003e carries a non-empty \u003ctt\u003efilename\u003c/tt\u003e creates a fresh temporary file (via \u003ctt\u003ePlug.Upload\u003c/tt\u003e) and retains a \u003ctt\u003ePlug.Upload\u003c/tt\u003e struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured \u003ctt\u003e:length\u003c/tt\u003e limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/parsers/multipart.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart/2\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_headers/5\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_body/4\u003c/tt\u003e, and \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_file/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.\u003c/p\u003e"
                }
              ],
              "value": "Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\n\nBecause every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\n\nThis vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.\n\nThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:41:43.299Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-95qv-c9g9-rm63"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-56814.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-56814"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/981597d3a4271ede64373c7a731702a42c500dd6"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/56edca2ce35fe5589cd581644d8a4493fa5f484e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/0ee8afcc61466dc5f7a8f048d0632c899165b81f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/cae36053350e5215a4e0ca33cd130af9c5fc6364"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/f7effaed811c00b5f5bf817936bfd9c5df27b7dc"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/df97d3f17f808a9916a7700a701fb85314559d56"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-56814",
        "datePublished": "2026-07-10T11:14:35.574Z",
        "dateReserved": "2026-06-23T12:29:02.507Z",
        "dateUpdated": "2026-07-10T14:41:43.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54892 (GCVE-0-2026-54892)

    Vulnerability from nvd – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
    VLAI
    Title
    Plug: quadratic-time decoding of nested query/body parameters enables denial of service
    Summary
    Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.15.0 , < 1.15.5 (semver)
    Affected: 1.16.0 , < 1.16.4 (semver)
    Affected: 1.17.0 , < 1.17.2 (semver)
    Affected: 1.18.0 , < 1.18.3 (semver)
    Affected: 1.19.0 , < 1.19.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: 712b875d3442c765d8d37e546ffd5ad9f8afcc55 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Braidon Whatley José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54892",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:03:58.893269Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:04:27.014Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Query\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/query.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.15.5",
                  "status": "affected",
                  "version": "1.15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.16.4",
                  "status": "affected",
                  "version": "1.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.2",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.3",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.3",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Query\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/query.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
                      "status": "unaffected"
                    },
                    {
                      "at": "9c5d37c440eaae92869eed7c014c47266744fadb",
                      "status": "unaffected"
                    },
                    {
                      "at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
                      "status": "unaffected"
                    },
                    {
                      "at": "d4e5568392a4b29e545b91e12e87d6098f976145",
                      "status": "unaffected"
                    },
                    {
                      "at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.15.5",
                      "versionStartIncluding": "1.15.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.4",
                      "versionStartIncluding": "1.16.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.2",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.3",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.3",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Braidon Whatley"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
                }
              ],
              "value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407 Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T18:21:14.232Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54892",
        "datePublished": "2026-06-23T12:31:12.629Z",
        "dateReserved": "2026-06-16T10:47:13.915Z",
        "dateUpdated": "2026-06-23T18:21:14.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8468 (GCVE-0-2026-8468)

    Vulnerability from nvd – Published: 2026-05-14 10:29 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.4.0 , < 1.15.4 (semver)
    Affected: 1.16.0 , < 1.16.3 (semver)
    Affected: 1.17.0 , < 1.17.1 (semver)
    Affected: 1.18.0 , < 1.18.2 (semver)
    Affected: 1.19.0 , < 1.19.2 (semver)
        cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: c52b2f32c90bccd718202bafccb5f95594e30183 , < * (git)
        cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    José Valim José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8468",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T17:53:52.632415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T17:54:23.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.Plug.Conn"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.15.4",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.16.3",
                  "status": "affected",
                  "version": "1.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.1",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.2",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.2",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.Plug.Conn"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2cb7958d33030aa826b0c7404375844d4593d43a",
                      "status": "unaffected"
                    },
                    {
                      "at": "aa69c5ece99c40ded88b8c6581ecc86664b0b734",
                      "status": "unaffected"
                    },
                    {
                      "at": "d5dfffe25e975585227b1b85d247b0d14164bc45",
                      "status": "unaffected"
                    },
                    {
                      "at": "df812a1527bae9e941965e897308a2b8bbf83a94",
                      "status": "unaffected"
                    },
                    {
                      "at": "33858427c7f2737d560a2e40a0c9a9270d77d1d7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "c52b2f32c90bccd718202bafccb5f95594e30183",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application must use \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser, or otherwise call \u003ctt\u003ePlug.Conn.read_part_headers/2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
                }
              ],
              "value": "The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.15.4",
                      "versionStartIncluding": "1.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.3",
                      "versionStartIncluding": "1.16.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.1",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.2",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.2",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Plug.Conn\u0027:read_part_headers/2\u003c/tt\u003e in \u003ctt\u003elib/plug/conn.ex\u003c/tt\u003e does not obey its \u003ctt\u003e:length\u003c/tt\u003e parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function \u003ctt\u003eread_part_body\u003c/tt\u003e has an explicit \u003ctt\u003ebyte_size(acc) \u0026gt; length\u003c/tt\u003e guard that stops accumulation once a limit is reached. No such guard exists in \u003ctt\u003eread_part_headers\u003c/tt\u003e. An unauthenticated remote attacker can exhaust server memory by sending a crafted \u003ctt\u003emultipart/form-data\u003c/tt\u003e request, causing a denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\n\u0027Elixir.Plug.Conn\u0027:read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) \u003e length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.\n\nThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:29.241Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8468.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8468"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in plug",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8468",
        "datePublished": "2026-05-14T10:29:51.062Z",
        "dateReserved": "2026-05-13T11:44:42.164Z",
        "dateUpdated": "2026-05-27T15:41:29.241Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56813 (GCVE-0-2026-56813)

    Vulnerability from cvelistv5 – Published: 2026-07-10 12:51 – Updated: 2026-07-10 14:45
    VLAI
    Title
    Cookie attribute injection in Plug.Conn.Cookies.encode/2
    Summary
    Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented. This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-141 - Improper Neutralization of Parameter/Argument Delimiters
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 0.1.0 , < 1.16.6 (semver)
    Affected: 1.17.0 , < 1.17.4 (semver)
    Affected: 1.18.0 , < 1.18.5 (semver)
    Affected: 1.19.0 , < 1.19.5 (semver)
    Affected: 1.20.0 , < 1.20.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: f26876aa67aaeb38e616638aa3efbcc2fe2906a5 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich José Valim Jonatan Männchen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56813",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:43:36.298825Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:43:45.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Cookies\u0027",
                "\u0027Elixir.Plug.Conn\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/cookies.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.16.6",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.4",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.5",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.5",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.3",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Cookies\u0027",
                "\u0027Elixir.Plug.Conn\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/cookies.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3f00dfad4e20ba88472e315c90a25742bf178f8e",
                      "status": "unaffected"
                    },
                    {
                      "at": "a6d1248659022749869963fd302687165ecf8c8b",
                      "status": "unaffected"
                    },
                    {
                      "at": "4167981747fe9ce75f374b94a28861ae950ea992",
                      "status": "unaffected"
                    },
                    {
                      "at": "149d9ed68fee0b4f77efd1e835ce5d785856697b",
                      "status": "unaffected"
                    },
                    {
                      "at": "eceb8315ce9a31ef784943a95a8624ebd1bc7e06",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "f26876aa67aaeb38e616638aa3efbcc2fe2906a5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.6",
                      "versionStartIncluding": "0.1.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.4",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.5",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.5",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.20.3",
                      "versionStartIncluding": "1.20.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e function in \u003ctt\u003elib/plug/conn/cookies.ex\u003c/tt\u003e builds the \u003ctt\u003eSet-Cookie\u003c/tt\u003e response header by interpolating the cookie value and its \u003ctt\u003epath\u003c/tt\u003e, \u003ctt\u003edomain\u003c/tt\u003e, \u003ctt\u003esame_site\u003c/tt\u003e, and \u003ctt\u003eextra\u003c/tt\u003e attributes directly into the header without neutralizing the \u003ctt\u003e;\u003c/tt\u003e delimiter that separates cookie attributes.\u003c/p\u003e\u003cp\u003eAn application that places attacker-controlled data into a cookie value or attribute (for example via \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e when reflecting a username or preference) lets an attacker inject a \u003ctt\u003e;\u003c/tt\u003e to append or override cookie attributes (such as \u003ctt\u003eDomain\u003c/tt\u003e and \u003ctt\u003ePath\u003c/tt\u003e scope, or dropping the \u003ctt\u003eSecure\u003c/tt\u003e and \u003ctt\u003eHttpOnly\u003c/tt\u003e flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation, so HTTP response splitting is not possible, but attribute injection through \u003ctt\u003e;\u003c/tt\u003e is not prevented.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\n\nThe Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the \u0027;\u0027 delimiter that separates cookie attributes.\n\nAn application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a \u0027;\u0027 to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through \u0027;\u0027 is not prevented.\n\nThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-61",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-61 Session Fixation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-141",
                  "description": "CWE-141 Improper Neutralization of Parameter/Argument Delimiters",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:45:34.174Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-wpmj-jh88-rpgm"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-56813.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-56813"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/c6575800b2c4e15af1904df87522ca8a23da020c"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Cookie attribute injection in Plug.Conn.Cookies.encode/2",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate or reject the \u003ctt\u003e;\u003c/tt\u003e delimiter in any untrusted data before passing it as a cookie value or attribute to \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e or \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e. Carriage return, line feed, and null bytes are already rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation.\u003c/p\u003e"
                }
              ],
              "value": "Validate or reject the \u0027;\u0027 delimiter in any untrusted data before passing it as a cookie value or attribute to Plug.Conn.put_resp_cookie/4 or Plug.Conn.Cookies.encode/2. Carriage return, line feed, and null bytes are already rejected by Plug.Conn header validation."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-56813",
        "datePublished": "2026-07-10T12:51:08.758Z",
        "dateReserved": "2026-06-23T12:29:02.507Z",
        "dateUpdated": "2026-07-10T14:45:34.174Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56814 (GCVE-0-2026-56814)

    Vulnerability from cvelistv5 – Published: 2026-07-10 11:14 – Updated: 2026-07-10 14:41
    VLAI
    Title
    Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)
    Summary
    Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP. This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4. This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.4.0 , < 1.16.6 (semver)
    Affected: 1.17.0 , < 1.17.4 (semver)
    Affected: 1.18.0 , < 1.18.5 (semver)
    Affected: 1.19.0 , < 1.19.5 (semver)
    Affected: 1.20.0 , < 1.20.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: c52b2f32c90bccd718202bafccb5f95594e30183 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Jonatan Männchen José Valim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:03:11.744626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:03:28.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/parsers/multipart.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.16.6",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.4",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.5",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.5",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.3",
                  "status": "affected",
                  "version": "1.20.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/parsers/multipart.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "981597d3a4271ede64373c7a731702a42c500dd6",
                      "status": "unaffected"
                    },
                    {
                      "at": "56edca2ce35fe5589cd581644d8a4493fa5f484e",
                      "status": "unaffected"
                    },
                    {
                      "at": "0ee8afcc61466dc5f7a8f048d0632c899165b81f",
                      "status": "unaffected"
                    },
                    {
                      "at": "cae36053350e5215a4e0ca33cd130af9c5fc6364",
                      "status": "unaffected"
                    },
                    {
                      "at": "f7effaed811c00b5f5bf817936bfd9c5df27b7dc",
                      "status": "unaffected"
                    },
                    {
                      "at": "df97d3f17f808a9916a7700a701fb85314559d56",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "c52b2f32c90bccd718202bafccb5f95594e30183",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.6",
                      "versionStartIncluding": "1.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.4",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.5",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.5",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.20.3",
                      "versionStartIncluding": "1.20.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003ctt\u003ePlug.Parsers.MULTIPART\u003c/tt\u003e, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its \u003ctt\u003e:length\u003c/tt\u003e budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the \u003ctt\u003e:length\u003c/tt\u003e limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\u003c/p\u003e\u003cp\u003eBecause every part whose \u003ctt\u003eContent-Disposition\u003c/tt\u003e carries a non-empty \u003ctt\u003efilename\u003c/tt\u003e creates a fresh temporary file (via \u003ctt\u003ePlug.Upload\u003c/tt\u003e) and retains a \u003ctt\u003ePlug.Upload\u003c/tt\u003e struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured \u003ctt\u003e:length\u003c/tt\u003e limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/parsers/multipart.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart/2\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_headers/5\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_body/4\u003c/tt\u003e, and \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_file/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.\u003c/p\u003e"
                }
              ],
              "value": "Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\n\nBecause every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\n\nThis vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.\n\nThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T14:41:43.299Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-95qv-c9g9-rm63"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-56814.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-56814"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/981597d3a4271ede64373c7a731702a42c500dd6"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/56edca2ce35fe5589cd581644d8a4493fa5f484e"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/0ee8afcc61466dc5f7a8f048d0632c899165b81f"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/cae36053350e5215a4e0ca33cd130af9c5fc6364"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/f7effaed811c00b5f5bf817936bfd9c5df27b7dc"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/df97d3f17f808a9916a7700a701fb85314559d56"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-56814",
        "datePublished": "2026-07-10T11:14:35.574Z",
        "dateReserved": "2026-06-23T12:29:02.507Z",
        "dateUpdated": "2026-07-10T14:41:43.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54892 (GCVE-0-2026-54892)

    Vulnerability from cvelistv5 – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
    VLAI
    Title
    Plug: quadratic-time decoding of nested query/body parameters enables denial of service
    Summary
    Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.15.0 , < 1.15.5 (semver)
    Affected: 1.16.0 , < 1.16.4 (semver)
    Affected: 1.17.0 , < 1.17.2 (semver)
    Affected: 1.18.0 , < 1.18.3 (semver)
    Affected: 1.19.0 , < 1.19.3 (semver)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: 712b875d3442c765d8d37e546ffd5ad9f8afcc55 , < * (git)
        cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Braidon Whatley José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54892",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:03:58.893269Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:04:27.014Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Query\u0027"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/query.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.15.5",
                  "status": "affected",
                  "version": "1.15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.16.4",
                  "status": "affected",
                  "version": "1.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.2",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.3",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.3",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Plug.Conn.Query\u0027"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn/query.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
                },
                {
                  "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
                      "status": "unaffected"
                    },
                    {
                      "at": "9c5d37c440eaae92869eed7c014c47266744fadb",
                      "status": "unaffected"
                    },
                    {
                      "at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
                      "status": "unaffected"
                    },
                    {
                      "at": "d4e5568392a4b29e545b91e12e87d6098f976145",
                      "status": "unaffected"
                    },
                    {
                      "at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.15.5",
                      "versionStartIncluding": "1.15.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.4",
                      "versionStartIncluding": "1.16.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.2",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.3",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.3",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Braidon Whatley"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
                }
              ],
              "value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407 Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T18:21:14.232Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-54892",
        "datePublished": "2026-06-23T12:31:12.629Z",
        "dateReserved": "2026-06-16T10:47:13.915Z",
        "dateUpdated": "2026-06-23T18:21:14.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8468 (GCVE-0-2026-8468)

    Vulnerability from cvelistv5 – Published: 2026-05-14 10:29 – Updated: 2026-05-27 15:41
    VLAI
    Title
    Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-plug plug Affected: 1.4.0 , < 1.15.4 (semver)
    Affected: 1.16.0 , < 1.16.3 (semver)
    Affected: 1.17.0 , < 1.17.1 (semver)
    Affected: 1.18.0 , < 1.18.2 (semver)
    Affected: 1.19.0 , < 1.19.2 (semver)
        cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-plug plug Affected: c52b2f32c90bccd718202bafccb5f95594e30183 , < * (git)
        cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    José Valim José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8468",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T17:53:52.632415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T17:54:23.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.Plug.Conn"
              ],
              "packageName": "plug",
              "packageURL": "pkg:hex/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "lessThan": "1.15.4",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.16.3",
                  "status": "affected",
                  "version": "1.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.17.1",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.18.2",
                  "status": "affected",
                  "version": "1.18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.2",
                  "status": "affected",
                  "version": "1.19.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "Elixir.Plug.Conn"
              ],
              "packageName": "elixir-plug/plug",
              "packageURL": "pkg:github/elixir-plug/plug",
              "product": "plug",
              "programFiles": [
                "lib/plug/conn.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
                }
              ],
              "repo": "https://github.com/elixir-plug/plug",
              "vendor": "elixir-plug",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2cb7958d33030aa826b0c7404375844d4593d43a",
                      "status": "unaffected"
                    },
                    {
                      "at": "aa69c5ece99c40ded88b8c6581ecc86664b0b734",
                      "status": "unaffected"
                    },
                    {
                      "at": "d5dfffe25e975585227b1b85d247b0d14164bc45",
                      "status": "unaffected"
                    },
                    {
                      "at": "df812a1527bae9e941965e897308a2b8bbf83a94",
                      "status": "unaffected"
                    },
                    {
                      "at": "33858427c7f2737d560a2e40a0c9a9270d77d1d7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "*",
                  "status": "affected",
                  "version": "c52b2f32c90bccd718202bafccb5f95594e30183",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application must use \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser, or otherwise call \u003ctt\u003ePlug.Conn.read_part_headers/2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
                }
              ],
              "value": "The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.15.4",
                      "versionStartIncluding": "1.4.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.16.3",
                      "versionStartIncluding": "1.16.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.17.1",
                      "versionStartIncluding": "1.17.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.18.2",
                      "versionStartIncluding": "1.18.0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.19.2",
                      "versionStartIncluding": "1.19.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Plug.Conn\u0027:read_part_headers/2\u003c/tt\u003e in \u003ctt\u003elib/plug/conn.ex\u003c/tt\u003e does not obey its \u003ctt\u003e:length\u003c/tt\u003e parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function \u003ctt\u003eread_part_body\u003c/tt\u003e has an explicit \u003ctt\u003ebyte_size(acc) \u0026gt; length\u003c/tt\u003e guard that stops accumulation once a limit is reached. No such guard exists in \u003ctt\u003eread_part_headers\u003c/tt\u003e. An unauthenticated remote attacker can exhaust server memory by sending a crafted \u003ctt\u003emultipart/form-data\u003c/tt\u003e request, causing a denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\n\u0027Elixir.Plug.Conn\u0027:read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) \u003e length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.\n\nThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:41:29.241Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8468.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-8468"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in plug",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-8468",
        "datePublished": "2026-05-14T10:29:51.062Z",
        "dateReserved": "2026-05-13T11:44:42.164Z",
        "dateUpdated": "2026-05-27T15:41:29.241Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }