CVE-2026-21618
Cross-Site Scripting in Hexpm SharedAuthorizationView Module
Publication date: 2026-01-19
Last updated on: 2026-04-06
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex | hexpm | From 2025-10-01 (inc) to 2026-01-19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21618 is a Cross-Site Scripting (XSS) vulnerability in the Hexpm project, specifically in the OAuth Device Authorization/verification screen. It occurs because user-controlled input, such as scope names and descriptions, is improperly neutralized and rendered without proper escaping. This allows an attacker to inject malicious HTML or JavaScript code into the web page. The vulnerability was caused by unsafe string interpolation using the raw() function, which failed to escape input correctly. The fix replaced raw HTML generation with safe HEEx templates and Phoenix HTML helpers that automatically escape user input, preventing script injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript in your browser when you open a maliciously crafted link related to the OAuth Device Authorization flow. This can lead to the attacker reading or manipulating data on the device verification page, interfering with the OAuth authorization process, or performing actions on your behalf within that flow. Exploitation requires no privileges or authentication but does require that you interact by opening the malicious link. The confidentiality and integrity of data within the affected page context are highly impacted, though availability is not affected. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or maliciously crafted URLs targeting the OAuth Device Authorization/verification page of the hexpm application, especially those containing unescaped or unexpected input parameters that might trigger cross-site scripting (XSS). Since the vulnerability involves reflected input in web pages, one practical approach is to test the affected endpoints by sending crafted requests with typical XSS payloads and observing if the payload is executed or reflected unsafely. Specific commands could include using curl or wget to send crafted HTTP requests to the OAuth device verification URL and inspecting the response for unescaped script tags or HTML. For example: curl -v 'https://your-hexpm-instance/oauth/device/verify?scope=<script>alert(1)</script>' and then checking the response body for the presence of the script tag without proper escaping. Additionally, web vulnerability scanners that test for reflected XSS can be used against the affected endpoints. However, no exact commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the hexpm application to the fixed version that includes commit c692438684ead90c3bcbfb9ccf4e63c768c668a8, which replaces unsafe raw HTML interpolation with HEEx templates and Phoenix HTML helpers to ensure proper escaping of user input. If updating immediately is not possible, consider implementing input validation and output encoding on the OAuth Device Authorization/verification page to neutralize malicious input. Additionally, educate users to avoid clicking on suspicious links related to the OAuth device verification flow. Applying web application firewall (WAF) rules to detect and block typical XSS payloads targeting the affected endpoints can also help reduce risk until the patch is applied. [1, 2]