### Vulnerability Key Information Summary **1. Vulnerability Overview** * **Vulnerability ID:** `EEF-CVE-2026-21619` (Alias: `CVE-2026-21619`, `GHSA-hx9w-j2w9-9y98`) * **Vulnerability Type:** Unsafe Deserialization, Uncontrolled Resource Consumption * **Severity:** 2.0 (Low) * **Detailed Description:** This vulnerability exists within `hex_core` (hexapi modules), `hex` (mixhexapi modules), and `erlang rebar3` (r3hexapi modules). Attackers can exploit this vulnerability to perform Object Injection and Excessive Allocation. * **Affected Files:** `src/hexapi.erl`, `src/mixhexapi.erl`, `apps/rebar/src/vendored/r3hexapi.erl`, and related program routines. **2. Scope of Impact** * **hex_core:** Versions `0.1.0` to `0.12.1` (exclusive) * **hex:** Versions `2.3.0` to `2.3.2` (exclusive) * **rebar3:** Versions `3.9.1` to `3.27.0` (exclusive) **3. Remediation** * **hex_core:** Upgrade to version `0.12.1` or higher. * Fix Commit: `cdf26995ca85adf549d46d1e831ae93c2b13` * **hex:** Upgrade to version `2.3.2` or higher. * Fix Commit: `6367391322514e9303ba335b630696bbb3c95` * **rebar3:** Upgrade to version `3.27.0` or higher. * Fix Commit: `144478f52b373de0b225951e53115450e0d9b9d` *(Note: The screenshot does not contain specific POC exploitation code, only providing the relevant GitHub links and Commit IDs.)*