VYPR

OTP

by Erlang

Source repositories

CVEs (31)

  • CVE-2016-10253CriMar 18, 2017
    risk 0.57cvss 9.8epss 0.01

    An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary…

  • CVE-2026-23941CriMar 13, 2026
    risk 0.54cvss 9.4epss 0.01

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines…

  • CVE-2026-49759HigJun 10, 2026
    risk 0.46cvss 8.2epss 0.01

    Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks…

  • CVE-2026-42790HigMay 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints…

  • CVE-2017-1000385MedDec 12, 2017
    risk 0.43cvss 5.9epss 0.22

    The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

  • CVE-2025-30211HigMar 28, 2025
    risk 0.42cvss 7.5epss 0.00

    Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64…

  • CVE-2025-48041HigSep 11, 2025
    risk 0.39cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3,…

  • CVE-2025-26618HigFeb 20, 2025
    risk 0.39cvss epss 0.00

    Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in…

  • CVE-2015-2774MedApr 7, 2016
    risk 0.39cvss 5.9epss 0.02

    Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).

  • CVE-2025-48040MedSep 11, 2025
    risk 0.38cvss epss 0.00

    Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and…

  • CVE-2024-53846MedDec 5, 2024
    risk 0.36cvss 5.5epss 0.00

    OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8,…

  • CVE-2026-48858MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false)…

  • CVE-2026-48856MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an…

  • CVE-2026-48855MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the…

  • CVE-2026-49760MedJun 10, 2026
    risk 0.29cvss 5.5epss 0.00

    Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an…

  • CVE-2026-23942MedMar 13, 2026
    risk 0.28cvss 5.4epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2. …

  • CVE-2026-48859MedJun 10, 2026
    risk 0.27cvss 5.3epss 0.00

    Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option,…

  • CVE-2026-23943MedMar 13, 2026
    risk 0.27cvss 5.3epss 0.01

    Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled…

  • CVE-2025-48039MedSep 11, 2025
    risk 0.27cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until…

  • CVE-2025-48038MedSep 11, 2025
    risk 0.27cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until…

Page 1 of 2