Search criteria
2 vulnerabilities found for plug by elixir-plug
CVE-2026-54892 (GCVE-0-2026-54892)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
VLAI?
Title
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Summary
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Severity ?
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| elixir-plug | plug |
Affected:
1.15.0 , < 1.15.5
(semver)
Affected: 1.16.0 , < 1.16.4 (semver) Affected: 1.17.0 , < 1.17.2 (semver) Affected: 1.18.0 , < 1.18.3 (semver) Affected: 1.19.0 , < 1.19.3 (semver) cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
Braidon Whatley
José Valim
Jonatan Männchen / EEF
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54892",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:03:58.893269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:04:27.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0",
"versionType": "semver"
},
{
"lessThan": "1.16.4",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "1.17.2",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.3",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
"status": "unaffected"
},
{
"at": "9c5d37c440eaae92869eed7c014c47266744fadb",
"status": "unaffected"
},
{
"at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
"status": "unaffected"
},
{
"at": "d4e5568392a4b29e545b91e12e87d6098f976145",
"status": "unaffected"
},
{
"at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.5",
"versionStartIncluding": "1.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.4",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.2",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.3",
"versionStartIncluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Braidon Whatley"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
}
],
"value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:21:14.232Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54892",
"datePublished": "2026-06-23T12:31:12.629Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-23T18:21:14.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8468 (GCVE-0-2026-8468)
Vulnerability from cvelistv5 – Published: 2026-05-14 10:29 – Updated: 2026-05-27 15:41
VLAI?
Title
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
Summary
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.
'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.
This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| elixir-plug | plug |
Affected:
1.4.0 , < 1.15.4
(semver)
Affected: 1.16.0 , < 1.16.3 (semver) Affected: 1.17.0 , < 1.17.1 (semver) Affected: 1.18.0 , < 1.18.2 (semver) Affected: 1.19.0 , < 1.19.2 (semver) cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:* |
|||||||
|
|||||||||
Credits
José Valim
José Valim
Jonatan Männchen / EEF
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T17:53:52.632415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:54:23.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Plug.Conn"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.15.4",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
},
{
"lessThan": "1.16.3",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "1.17.1",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.2",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Plug.Conn"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "2cb7958d33030aa826b0c7404375844d4593d43a",
"status": "unaffected"
},
{
"at": "aa69c5ece99c40ded88b8c6581ecc86664b0b734",
"status": "unaffected"
},
{
"at": "d5dfffe25e975585227b1b85d247b0d14164bc45",
"status": "unaffected"
},
{
"at": "df812a1527bae9e941965e897308a2b8bbf83a94",
"status": "unaffected"
},
{
"at": "33858427c7f2737d560a2e40a0c9a9270d77d1d7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "c52b2f32c90bccd718202bafccb5f95594e30183",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must use \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser, or otherwise call \u003ctt\u003ePlug.Conn.read_part_headers/2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
}
],
"value": "The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.4",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.3",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.1",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.2",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.2",
"versionStartIncluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Plug.Conn\u0027:read_part_headers/2\u003c/tt\u003e in \u003ctt\u003elib/plug/conn.ex\u003c/tt\u003e does not obey its \u003ctt\u003e:length\u003c/tt\u003e parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function \u003ctt\u003eread_part_body\u003c/tt\u003e has an explicit \u003ctt\u003ebyte_size(acc) \u0026gt; length\u003c/tt\u003e guard that stops accumulation once a limit is reached. No such guard exists in \u003ctt\u003eread_part_headers\u003c/tt\u003e. An unauthenticated remote attacker can exhaust server memory by sending a crafted \u003ctt\u003emultipart/form-data\u003c/tt\u003e request, causing a denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\n\u0027Elixir.Plug.Conn\u0027:read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) \u003e length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.\n\nThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:29.241Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8468.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8468"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in plug",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8468",
"datePublished": "2026-05-14T10:29:51.062Z",
"dateReserved": "2026-05-13T11:44:42.164Z",
"dateUpdated": "2026-05-27T15:41:29.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}