Erlang

Plug versions 1.4.0 to 1.19.1 are vulnerable to denial-of-service (CVE-2026-8468) due to unbounded buffer accumulation in multipart header parsing, allowing an unauthenticated attacker to exhaust server memory by sending a crafted multipart/form-data request.

Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.

Bandit's HTTP/1 chunked-body reader silently drops the request size cap, leading to excessive memory buffering. An unauthenticated attacker can crash Bandit-fronted Phoenix/Plug applications by sending a single 'Transfer-Encoding: chunked' request to any URL, causing BEAM memory exhaustion and a denial-of-service.

A SQL injection vulnerability exists in Postgrex versions 0.16.0 to before 0.22.2 within the `Postgrex.Notifications.listen/3` function allowing attackers to execute arbitrary SQL commands on the notifications connection by manipulating the channel name.

A denial-of-service vulnerability exists in the Absinthe GraphQL library (versions 1.2.0 to 1.10.1), where an unauthenticated attacker can exhaust server resources by submitting a crafted GraphQL query with a large number of fragment definitions due to the quadratic complexity of fragment name uniqueness validation.

Absinthe versions 1.5.0 before 1.10.2 are vulnerable to a denial-of-service attack (CVE-2026-42793) due to unbounded atom creation when parsing GraphQL SDL documents, allowing an attacker to exhaust the Erlang VM's atom table and crash the entire node by submitting a crafted document with numerous unique directive names.

The ex_webrtc library is vulnerable to a man-in-the-middle attack due to missing DTLS peer certificate fingerprint validation in the DTLS client role, potentially allowing interception of media and data channels when chained with insecure signaling or a peer with similar validation gaps; upgrade to versions 0.15.1 or 0.16.1 to mitigate this vulnerability.

A remote, authenticated attacker can exploit an unspecified vulnerability in Erlang/OTP to disclose sensitive information.

Bandit versions 0.5.8 before 1.11.0 are vulnerable to denial of service when permessage-deflate is enabled, allowing an unauthenticated client to exhaust the BEAM's memory with a single, small, compressed WebSocket frame due to unbounded decompression.

An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy allows attackers to exhaust the BEAM atom table via HTTP/2 requests, crashing the Erlang VM.

An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to exhaust server memory by sending a series of crafted HTTP requests, affecting LiveView apps with a public Longpoll socket or Phoenix.Socket with longpoll option.