VYPR

Hex (Elixir) package

bandit

pkg:hex/bandit

Vulnerabilities (7)

  • CVE-2026-39806HigMay 13, 2026
    affected >= 1.6.0, < 1.11.1fixed 1.11.1

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-

  • CVE-2026-39803HigMay 13, 2026
    affected >= 1.4.0, < 1.11.1fixed 1.11.1

    Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :l

  • CVE-2026-42788MedMay 1, 2026
    affected >= 0.3.5, < 1.11.0fixed 1.11.0

    Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGS_MAX_FRAME_SIZE limit only after p

  • CVE-2026-42786HigMay 1, 2026
    affected >= 0.5.0, < 1.11.0fixed 1.11.0

    Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex a

  • CVE-2026-39807MedMay 1, 2026
    affected >= 1.0.0, < 1.11.0fixed 1.11.0

    Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbati

  • CVE-2026-39805MedMay 1, 2026
    affected < 1.11.0fixed 1.11.0

    Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching heade

  • CVE-2026-39804HigMay 1, 2026
    affected >= 0.5.8, < 1.11.0fixed 1.11.0

    Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandi