Skip to content
Public database of Elixir security advisories
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Update dependabot.yml Mar 23, 2020
logo Add files via upload May 26, 2018
spec Add id column Jan 4, 2019
.gitignore Rename date_disclosed to disclosure_date, and add specs Apr 3, 2018
.travis.yml Fix version and requirement classes to work with Rubygems 3.x Jan 4, 2019
Gemfile Add back rake (needed for Travis) Apr 3, 2018
Gemfile.lock Bump rake from 13.0.0 to 13.0.1 Nov 12, 2019
LICENSE.txt Add license Apr 3, 2018 Add MixAudit to’s list of automated tools Mar 17, 2020
Rakefile Add Rakefile Apr 3, 2018


Elixir Advisory Database

The Elixir Advisory Database is a repository of security advisories filed against published Elixir packages.

Advisory metadata is stored in YAML format for Sobelow, Dependabot, MixAudit and other automated tools to consume.

This is also an experimental web API for the database.

Build Status

Directory Structure

The database is a list of directories that match the names of Elixir libraries on []. Within each directory are one or more advisory files for the Elixir library.



Each advisory file contains the advisory information in YAML format:

id: 8268e120-60b4-4efb-b9ca-4e3faca0cca6
package: plug
disclosure_date: 2017-02-28
cve: 2017-1000052
title: |
  Null Byte Injection in Plug.Static

description: |
  Plug.Static is used for serving static assets, and is vulnerable to null
  byte injection. If file upload functionality is provided, this can allow
  users to bypass filetype restrictions.

  We recommend all applications that provide file upload functionality and
  serve those uploaded files locally with Plug.Static to upgrade immediately
  or include the fix below. If uploaded files are rather stored and served
  from S3 or any other cloud storage, you are not affected.

  - ~> 1.3.2
  - ~> 1.2.3
  - ~> 1.1.7
  - ~> 1.0.4

  - "< 1.0.0"


There is linting in place to enforce the following schema for each advisory:

Attribute Type Description
id String A version 4 UUID (use
package String Name of the affected package.
disclosure_date Date Date the vulnerability was publicly disclosed (here or elsewhere).
cve String/Null (Optional) CVE assigned to the vulnerability.
link String Link to the original disclosure / more details.
title String Title of the vulnerability. This should be a (very) short description.
description String Description of the vulnerability.
patched_versions Array Array of Elixir requirement strings specifying patched versions.
unaffected_versions Array Array of Elixir requirement strings specifying unaffected versions.


Do you know about a vulnerability that isn't listed in this database? Open an issue or submit a PR.


All content in this repository is placed in the public domain.

Public Domain

You can’t perform that action at this time.