bandit

1.11.1

1.11.1 1.11.0 1.10.4 1.10.3 1.10.2 1.10.1 1.10.0 retired 1.9.0 1.8.0 1.7.0 1.6.11 1.6.10 1.6.9 1.6.8 1.6.7 1.6.6 1.6.5 1.6.4 1.6.3 1.6.2 1.6.1 1.6.0 1.5.7 1.5.6 1.5.5 1.5.4 1.5.3 1.5.2 1.5.1 1.5.0 1.4.2 1.4.1 1.4.0 1.3.0 1.2.3 1.2.2 1.2.1 1.2.0 1.1.3 1.1.2 1.1.1 1.1.0 1.0.0 1.0.0-pre.18 1.0.0-pre.17 1.0.0-pre.16 1.0.0-pre.15 1.0.0-pre.14 1.0.0-pre.13 1.0.0-pre.12 1.0.0-pre.11 1.0.0-pre.10 1.0.0-pre.9 1.0.0-pre.8 1.0.0-pre.7 1.0.0-pre.6 1.0.0-pre.5 1.0.0-pre.4 1.0.0-pre.3 1.0.0-pre.2 1.0.0-pre.1 0.7.7 0.7.6 0.7.5 0.7.4 0.7.3 0.7.2 0.7.1 0.7.0 0.6.11 0.6.10 0.6.9 0.6.8 0.6.7 0.6.6 0.6.5 0.6.4 0.6.3 0.6.2 0.6.1 0.6.0 0.5.11 0.5.10 0.5.9 0.5.8 0.5.7 0.5.6 0.5.5 0.5.4 0.5.3 0.5.2 0.5.1 0.5.0 0.4.10 0.4.9 0.4.8 0.4.7 0.4.6 0.4.5 0.4.4 0.4.3 0.4.2 0.4.1 0.4.0 0.3.9 0.3.8 0.3.7 0.3.6 0.3.5 0.3.4 0.3.3 0.3.2 0.2.3 0.2.2 0.2.1 0.2.0 0.1.1 0.1.0

A pure-Elixir HTTP server built for Plug & WebSock apps

HexDocs HexPreview

Current section

7 Advisories

Jump to

Readme 118 Versions 5 Dependencies 126 Dependants 7 Advisories Activity

EEF-CVE-2026-39806 CVE-2026-39806 GHSA-rf5q-vwxw-gmrf

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

May 13, 2026

CVSS

8.7 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 1.6.1 and < 1.11.1 >= 1.6.0 and < 1.11.1

References

EEF-CVE-2026-39803 CVE-2026-39803 GHSA-9q9q-324x-93r2

HTTP/1 chunked body reader ignores length cap in bandit

May 13, 2026

CVSS

8.7 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 1.4.0 and < 1.11.1

References

EEF-CVE-2026-42788 CVE-2026-42788 GHSA-q6v9-r226-v65f

HTTP/2 frame size limit checked after body is buffered in bandit

May 01, 2026

CVSS

6.9 / 10.0 Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Versions

>= 0.3.6 and < 1.11.0 >= 0.3.5 and < 1.11.0

References

EEF-CVE-2026-39807 CVE-2026-39807 GHSA-375f-4r2h-f99j

Client-supplied URI scheme trusted without transport verification in bandit

May 01, 2026

CVSS

6.3 / 10.0 Medium

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

>= 1.0.0 and < 1.11.0

References

EEF-CVE-2026-39805 CVE-2026-39805 GHSA-c67r-gc9j-2qf7

CL.CL HTTP request smuggling via duplicate Content-Length in bandit

May 01, 2026

CVSS

6.3 / 10.0 Medium

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

< 1.11.0

References

EEF-CVE-2026-42786 CVE-2026-42786 GHSA-pf94-94m9-536p

WebSocket fragmented message reassembly unbounded in bandit

May 01, 2026

CVSS

8.7 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.0 and < 1.11.0

References

EEF-CVE-2026-39804 CVE-2026-39804 GHSA-frh3-6pv6-rc8j

WebSocket permessage-deflate inflate has no output-size cap in bandit

May 01, 2026

CVSS

8.2 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.9 and < 1.11.0 >= 0.5.8 and < 1.11.0

References

Checksum

Dependency Config

mix.exs

rebar.config

Gleam

erlang.mk

Package Details

Downloads Last 30 days, all versions

this version

205 564

yesterday

29 081

last 7 days

183 462

all time

11 117 975

Last Updated

May 13, 2026

License

MIT

Build Tools

mix

Publisher

mtrudel

Operator	Description	Example
name:	Match package name. Supports * wildcards and repo/package form	name:phx* or name:hexpm/phoenix
description:	Full-text search of package descriptions	description:auth
depends:	Packages depending on a given package. Supports repo:package form	depends:ecto or depends:hexpm:ecto
build_tool:	Filter by build tool	build_tool:mix
updated_after:	Packages updated after an ISO8601 datetime	updated_after:2025-01-01T00:00:00Z
extra:	Match custom metadata (key,value). Nested keys are separated by commas	extra:license,MIT

bandit

Checksum

Dependency Config

Package Details

Links

Owners

Search filters