CVE-2026-23939

High

Published: 26 February 2026

Published

26 February 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0008 23.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23939 is a high-severity Path Traversal (CWE-22) vulnerability in Hex Hexpm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing Local Storage backend directly enables remote exploitation of the web app (T1190) for unauthorized file access and data collection from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2. This issue does NOT…

affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected. This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.

Deeper analysisAI

CVE-2026-23939 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as CWE-22 (Path Traversal), affecting the hexpm/hexpm project in its Elixir.Hexpm.Store.Local module. The flaw enables relative path traversal and is tied to specific program files like lib/hexpm/store/local.ex and routines such as Elixir.Hexpm.Store.Local:get/3, put/4, delete/2, and delete_many/2. It impacts self-hosted deployments of hexpm that use the Local Storage backend, from commit 931ee0ed46fa89218e0400a4f6e6d15f96406050 up to but not including 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0. The hex.pm service itself remains unaffected.

Attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, user interaction, or scope changes, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Any unauthenticated remote attacker able to interact with the affected Local Storage backend endpoints could traverse paths to access sensitive files, resulting in high confidentiality impact through unauthorized data disclosure.

Advisories from the CNA at erlef.org, the GitHub security advisory GHSA-42mv-r64p-4869, and the patch commit 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0 recommend updating self-hosted hexpm deployments to the fixed commit or later versions to mitigate the issue. Additional details are available via OSV.dev at osv.dev/vulnerability/EEF-CVE-2026-23939.