plug

1.20.1

1.20.1 1.20.0 1.19.3 1.19.2 1.19.1 1.19.0 1.18.3 1.18.2 1.18.1 1.18.0 1.17.2 1.17.1 1.17.0 1.16.4 1.16.3 1.16.2 1.16.1 1.16.0 1.15.5 1.15.4 1.15.3 1.15.2 1.15.1 1.15.0 1.14.2 1.14.1 1.14.0 1.13.6 1.13.5 1.13.4 1.13.3 1.13.2 1.13.1 retired 1.13.0 retired 1.12.1 1.12.0 1.11.1 1.11.0 1.10.4 1.10.3 1.10.2 1.10.1 1.10.0 1.9.0 1.8.3 1.8.2 1.8.1 1.8.0 1.7.2 1.7.1 1.7.0 1.6.4 1.6.3 1.6.2 1.6.1 1.6.0 1.5.1 1.5.0 1.5.0-rc.2 1.5.0-rc.1 1.5.0-rc.0 1.4.5 1.4.4 1.4.3 1.4.2 1.4.1 1.4.0 1.4.0-rc.0 1.3.6 1.3.5 1.3.4 1.3.3 1.3.2 1.3.1 1.3.0 1.2.6 1.2.5 1.2.4 1.2.3 1.2.2 1.2.1 1.2.0 1.2.0-rc.0 1.1.9 1.1.8 1.1.7 1.1.6 1.1.5 1.1.4 1.1.3 1.1.2 1.1.1 1.1.0 1.0.6 1.0.5 1.0.4 1.0.3 1.0.2 1.0.1 1.0.0 0.14.0 0.13.1 0.13.0 0.12.2 0.12.1 0.12.0 0.11.3 0.11.2 0.11.1 0.11.0 0.10.0 0.9.0 0.8.4 0.8.3 0.8.2 0.8.1 0.8.0 0.7.0 0.6.0 0.5.3 0.5.2 0.5.1 0.5.0 0.4.4 0.4.3 0.4.2 0.4.1

Compose web applications with functions

HexDocs HexPreview

Current section

5 Advisories

Jump to

Readme 127 Versions 3 Dependencies 1176 Dependants 5 Advisories Activity

EEF-CVE-2026-54892 CVE-2026-54892 GHSA-j43x-5hjq-rgxf

Plug: quadratic-time decoding of nested query/body parameters enables denial of service

June 23, 2026

CVSS

8.7 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 1.19.0 and < 1.19.3 >= 1.15.0 and < 1.15.5 >= 1.16.0 and < 1.16.4 >= 1.17.0 and < 1.17.2 >= 1.18.0 and < 1.18.3

References

EEF-CVE-2026-8468 CVE-2026-8468 GHSA-468c-vq7p-gh64

Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

May 14, 2026

CVSS

8.2 / 10.0 High

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Versions

>= 1.17.0 and < 1.17.1 >= 1.4.0 and < 1.15.4 >= 1.16.0 and < 1.16.3 >= 1.19.0 and < 1.19.2 >= 1.18.0 and < 1.18.2

References

GHSA-9h73-w7ch-rh73 CVE-2018-1000883

Header Injection

April 12, 2022

CVSS

6.5 / 10.0 Medium

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Versions

< 1.0.6 >= 1.3.0 and < 1.3.5 >= 1.2.0 and < 1.2.5 >= 1.1.0 and < 1.1.9

References

GHSA-5v4m-c73v-c7gq CVE-2017-1000053

Arbitrary Code Execution in Cookie Serialization

April 12, 2022

CVSS

8.1 / 10.0 High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Versions

< 1.0.4 >= 1.3.0 and < 1.3.2 >= 1.2.0 and < 1.2.3 >= 1.1.0 and < 1.1.7

References

GHSA-2q6v-32mr-8p8x CVE-2017-1000052

Null Byte Injection in Plug.Static

April 12, 2022

CVSS

7.8 / 10.0 High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Versions

>= 1.1.0 and < 1.1.7 < 1.0.4 >= 1.3.0 and < 1.3.2 >= 1.2.0 and < 1.2.3

References

Checksum

Dependency Config

mix.exs

rebar.config

Gleam

erlang.mk

Package Details

Downloads Last 30 days, all versions

this version

36 027

yesterday

51 051

last 7 days

342 104

all time

159 899 286

Last Updated

Jun 23, 2026

License

Apache-2.0

Build Tools

mix

Publisher

josevalim

Operator	Description	Example
name:	Match package name. Supports * wildcards and repo/package form	name:phx* or name:hexpm/phoenix
description:	Full-text search of package descriptions	description:auth
depends:	Packages depending on a given package. Supports repo:package form	depends:ecto or depends:hexpm:ecto
build_tool:	Filter by build tool	build_tool:mix
updated_after:	Packages updated after an ISO8601 datetime	updated_after:2025-01-01T00:00:00Z
extra:	Match custom metadata (key,value). Nested keys are separated by commas	extra:license,MIT

plug

Checksum

Dependency Config

Package Details

Links

Owners

Search filters