Packages

bandit

1.11.0
1.11.0 1.10.4 1.10.3 1.10.2 1.10.1 1.10.0 retired 1.9.0 1.8.0 1.7.0 1.6.11 1.6.10 1.6.9 1.6.8 1.6.7 1.6.6 1.6.5 1.6.4 1.6.3 1.6.2 1.6.1 1.6.0 1.5.7 1.5.6 1.5.5 1.5.4 1.5.3 1.5.2 1.5.1 1.5.0 1.4.2 1.4.1 1.4.0 1.3.0 1.2.3 1.2.2 1.2.1 1.2.0 1.1.3 1.1.2 1.1.1 1.1.0 1.0.0 1.0.0-pre.18 1.0.0-pre.17 1.0.0-pre.16 1.0.0-pre.15 1.0.0-pre.14 1.0.0-pre.13 1.0.0-pre.12 1.0.0-pre.11 1.0.0-pre.10 1.0.0-pre.9 1.0.0-pre.8 1.0.0-pre.7 1.0.0-pre.6 1.0.0-pre.5 1.0.0-pre.4 1.0.0-pre.3 1.0.0-pre.2 1.0.0-pre.1 0.7.7 0.7.6 0.7.5 0.7.4 0.7.3 0.7.2 0.7.1 0.7.0 0.6.11 0.6.10 0.6.9 0.6.8 0.6.7 0.6.6 0.6.5 0.6.4 0.6.3 0.6.2 0.6.1 0.6.0 0.5.11 0.5.10 0.5.9 0.5.8 0.5.7 0.5.6 0.5.5 0.5.4 0.5.3 0.5.2 0.5.1 0.5.0 0.4.10 0.4.9 0.4.8 0.4.7 0.4.6 0.4.5 0.4.4 0.4.3 0.4.2 0.4.1 0.4.0 0.3.9 0.3.8 0.3.7 0.3.6 0.3.5 0.3.4 0.3.3 0.3.2 0.2.3 0.2.2 0.2.1 0.2.0 0.1.1 0.1.0

A pure-Elixir HTTP server built for Plug & WebSock apps

HexDocs HexPreview

Current section

10 Advisories

Jump to
Readme
117 Versions
5 Dependencies
133 Dependants
10 Advisories
Activity
GHSA-q6v9-r226-v65f CVE-2026-42788 EEF-CVE-2026-42788

Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion

May 07, 2026
CVSS
?
6.9 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Versions

>= 0.3.5 and < 1.11.0
GHSA-375f-4r2h-f99j CVE-2026-39807 EEF-CVE-2026-39807

Bandit trusts client-supplied URI scheme on plaintext connections

May 07, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

>= 1.0.0 and < 1.11.0
GHSA-c67r-gc9j-2qf7 CVE-2026-39805 EEF-CVE-2026-39805

Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header

May 07, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

< 1.11.0
GHSA-pf94-94m9-536p CVE-2026-42786 EEF-CVE-2026-42786

Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion

May 07, 2026
CVSS
?
8.7 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.0 and < 1.11.0
GHSA-frh3-6pv6-rc8j CVE-2026-39804 EEF-CVE-2026-39804

Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame

May 07, 2026
CVSS
?
8.2 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.8 and < 1.11.0
EEF-CVE-2026-39805 CVE-2026-39805 GHSA-c67r-gc9j-2qf7

CL.CL HTTP request smuggling via duplicate Content-Length in bandit

May 01, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

< 1.11.0
EEF-CVE-2026-39804 CVE-2026-39804 GHSA-frh3-6pv6-rc8j

WebSocket permessage-deflate inflate has no output-size cap in bandit

May 01, 2026
CVSS
?
8.2 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.9 and < 1.11.0
EEF-CVE-2026-39807 CVE-2026-39807 GHSA-375f-4r2h-f99j

Client-supplied URI scheme trusted without transport verification in bandit

May 01, 2026
CVSS
?
6.3 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Versions

>= 1.0.0 and < 1.11.0
EEF-CVE-2026-42786 CVE-2026-42786 GHSA-pf94-94m9-536p

WebSocket fragmented message reassembly unbounded in bandit

May 01, 2026
CVSS
?
8.7 / 10.0 High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 0.5.0 and < 1.11.0
EEF-CVE-2026-42788 CVE-2026-42788 GHSA-q6v9-r226-v65f

HTTP/2 frame size limit checked after body is buffered in bandit

May 01, 2026
CVSS
?
6.9 / 10.0 Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Versions

>= 0.3.6 and < 1.11.0

Checksum

Dependency Config

mix.exs

rebar.config

Gleam

erlang.mk

Package Details

Downloads Last 30 days, all versions
0 10K 20K 30K 40K

this version

52 796

yesterday

27 407

last 7 days

163 545

all time

10 587 461

Last Updated

May 01, 2026

License

MIT

Build Tools

mix

Publisher

mtrudel mtrudel

Links

Owners