CVE Daily
← All tags

Tag: Erlang

All CVEs associated with "Erlang". Page 1/1 • 53 CVEs.

About “Erlang”

A curated feed of “Erlang”-related CVEs appears below. We currently track 53 CVEs for this tag (all time). In the last 365 days, 22 were published. Average CVSS is 6.8 (all time; 6.3 over 365d), and 57% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-400 - Uncontrolled Resource Consumption, CWE-295 - Improper Certificate Validation, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: erlang

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
2828.5.0.1Unavailable
2727.3.4.12
2626.2.5.21 Expired
2525.3.2.21 Expired
2424.3.4.17 Expired
2323.3.4.20 Expired
2222.3.4.27 Expired
2121.3.8.24 Expired
2020.3.8.26 Expired
1919.3.6.13 Expired
1818.3.4.11 Expired
1717.5.6.10 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Erlang”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-27
High

CVE-2026-42790

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verific…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2026-42791

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP re…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2026-42789

Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certifi…

CVSS: 7.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
2026-05-08
High

CVE-2026-42793

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled Gra…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2026-04-27
High

CVE-2026-32688

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in li…

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2026-04-21
Medium

CVE-2026-32147

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to modify file attributes outside t…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-04-07
High

CVE-2026-32144

Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP respons…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a U…

CVSS: 9.8 CWE: CWE-863 - Incorrect Authorization View on NVD
Low

CVE-2026-28810

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, pr…

CVSS: 3.7 CWE: CWE-340 - Generation of Predictable Numbers or Identifiers View on NVD
2026-04-02
High

CVE-2026-34593

Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.conca…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2026-03-23
Medium

CVE-2026-28809

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potential…

CVSS: 5.3 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2026-03-13
Medium

CVE-2026-23943

Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of Service via Resource Depletion. The SSH transport layer advert…

CVSS: 5.3 CWE: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification) View on NVD
Medium

CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path Traversal. This vulnerability is associated with program fil…

CVSS: 5.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2026-23941

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program…

CVSS: 9.4 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2026-02-27
High

CVE-2026-21619

Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Obje…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2026-02-20
Low

CVE-2026-21620

Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file module…

CVSS: 2.3 CWE: CWE-23 - Relative Path Traversal View on NVD
2025-12-16
Medium

CVE-2025-68113

ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC…

CVSS: 6.5 CWE: CWE-115 - Misinterpretation of Input View on NVD
2025-09-11
High

CVE-2025-48041

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/…

CVSS: 7.1 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2025-48040

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.e…

CVSS: 6.9 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2025-48039

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with prog…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2025-48038

Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with prog…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2025-06-16
Medium

CVE-2025-4748

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is as…

CVSS: 4.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-05-08
Low

CVE-2025-46712

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to…

CVSS: 3.7 CWE: CWE-440 - Expected Behavior Violation View on NVD
2025-04-16
Critical

CVE-2025-32433

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated rem…

CVSS: 10.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-03-28
High

CVE-2025-30211

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage.…

CVSS: 7.5 CWE: CWE-789 - Memory Allocation with Excessive Size Value View on NVD
2025-02-20
High

CVE-2025-26618

Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OTP is a set of Erlang libraries, which consists of…

CVSS: 7.0 CWE: CWE-789 - Memory Allocation with Excessive Size Value View on NVD
2024-12-05
Medium

CVE-2024-53846

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regr…

CVSS: 5.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-04-04
Medium

CVE-2024-31209

oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_p…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-03-19
Medium

CVE-2023-50966

erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-12-18
Medium

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2023-10-10
High

CVE-2023-45312

In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve…

CVSS: 8.8 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2022-09-29
Medium

CVE-2020-15325

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication.

CVSS: 5.3 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2022-09-21
Critical

CVE-2022-37026

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

CVSS: 9.8 CWE: N/A View on NVD
2021-04-09
High

CVE-2021-29221

A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of oth…

CVSS: 7.0 CWE: CWE-426 - Untrusted Search Path View on NVD
2021-01-15
High

CVE-2020-35733

An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority.

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-11-12
Critical

CVE-2020-24719

Exposed Erlang Cookie could lead to Remote Command Execution (RCE) attack. Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the mag…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-10-02
High

CVE-2020-25623

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-05-15
Medium

CVE-2020-12872

yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than…

CVSS: 5.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2019-12-10
Medium

CVE-2016-1000107

inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2019-11-23
High

CVE-2019-11287

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web manage…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2019-09-10
Critical

CVE-2019-11495

In Couchbase Server 5.1.1, the cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for poten…

CVSS: 9.8 CWE: CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) View on NVD
2019-08-19
High

CVE-2019-15160

The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.

CVSS: 7.5 CWE: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') View on NVD
2019-02-04
High

CVE-2019-1000014

Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution.…

CVSS: 8.8 CWE: N/A View on NVD
2018-08-24
High

CVE-2018-15728

Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang cod…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2017-12-12
Medium

CVE-2017-1000385

The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's priv…

CVSS: 5.9 CWE: CWE-203 - Observable Discrepancy View on NVD
2017-11-14
Critical

CVE-2017-12635

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys…

CVSS: 9.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2017-03-18
Critical

CVE-2016-10253

An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly speci…

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2016-04-07
Medium

CVE-2015-2774

Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-02-03
Low

CVE-2014-9568

puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-12-08
High

CVE-2014-1693

Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3)…

CVSS: 7.5 CWE: N/A View on NVD
2014-04-11
High

CVE-2014-2829

Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption…

CVSS: 7.8 CWE: CWE-264 View on NVD
2011-05-31
High

CVE-2011-0766

The random number generator in the Crypto application before 2.0.2.2, and SSH before 2.0.5, as used in the Erlang/OTP ssh library before R14B03, uses predictable seeds based on the current time, whic…

CVSS: 7.8 CWE: CWE-310 View on NVD
2009-01-15
High

CVE-2009-0130

lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate ch…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox