Is bandit safe to use?

bandit has 7 known vulnerabilities on the latest version (1.12.0). DepScope rates its health at 27/100 (critical risk).

What is the latest version of bandit?

The latest version of bandit is 1.12.0, released 2026-06-06.

Does bandit have known vulnerabilities?

Yes. bandit has 7 known vulnerabilities. See depscope.dev/pkg/hex/bandit for details.

What are alternatives to bandit?

DepScope has no curated alternatives for bandit at this time.

bandit

hexv1.12.0deprecated

A pure-Elixir HTTP server built for Plug & WebSock apps

License MITpermissive119 versions2 maintainers0 deps187,173 weekly dl

mtrudel/bandit

/ 100

Health

find alternative

bandit is deprecated — find an alternative

Update to >= 1e8e55966da9129016b73d32f0e1df4630e3b463 to fix known vulnerabilities

Moderate health score (27/100) — verify manually
4 high severity vulnerabilities
Package is deprecated

Health breakdown0 – 100

25/25

maintenance

14/20

popularity

0/25

security

15/15

maturity

3/15

community

Vulnerabilities

4 high3 medium

Advisories (7)

Severity	ID	Summary	Fixed in
high	CVE-2026-39803	HTTP/1 chunked body reader ignores length cap in bandit	ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
high	CVE-2026-39804	WebSocket permessage-deflate inflate has no output-size cap in bandit	8156921a51e684a951221da7bc30a70a022f722e
medium	CVE-2026-39805	CL.CL HTTP request smuggling via duplicate Content-Length in bandit	f2ca636eb6df385219957e8934e9fc6efa1630d1
high	CVE-2026-39806	HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit	ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
medium	CVE-2026-39807	Client-supplied URI scheme trusted without transport verification in bandit	45feea20dea8af7ffd7245271107b695c040e667
high	CVE-2026-42786	WebSocket fragmented message reassembly unbounded in bandit	21612c7c7b1ce43eccd36d3af3a2299d23513667
medium	CVE-2026-42788	HTTP/2 frame size limit checked after body is buffered in bandit	1e8e55966da9129016b73d32f0e1df4630e3b463

Maintainer trust

Active maintainers (3m)

5

Contributors (12m)

12

Primary author dominance

50%

GitHub stars

1,889

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/hex/bandit

First published · 2020-11-05T17:11:46.440731Z

Last updated · 2026-06-06T23:21:05.672746Z

Severity

Summary

Fixed in

high

CVE-2026-39803

HTTP/1 chunked body reader ignores length cap in bandit

ae3520dfdbfab115c638f8c7f6f6b805db34e1ab

high

CVE-2026-39804

WebSocket permessage-deflate inflate has no output-size cap in bandit

8156921a51e684a951221da7bc30a70a022f722e

medium

CVE-2026-39805

CL.CL HTTP request smuggling via duplicate Content-Length in bandit

f2ca636eb6df385219957e8934e9fc6efa1630d1

high

CVE-2026-39806

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

ae3520dfdbfab115c638f8c7f6f6b805db34e1ab

medium

CVE-2026-39807

Client-supplied URI scheme trusted without transport verification in bandit

45feea20dea8af7ffd7245271107b695c040e667

high

CVE-2026-42786

WebSocket fragmented message reassembly unbounded in bandit

21612c7c7b1ce43eccd36d3af3a2299d23513667

medium

CVE-2026-42788

HTTP/2 frame size limit checked after body is buffered in bandit

1e8e55966da9129016b73d32f0e1df4630e3b463