plug has 1 known vulnerabilities on the latest version (1.19.2). DepScope rates its health at 53/100 (high risk).

What is the latest version of plug?

The latest version of plug is 1.19.2, released 2026-05-14.

Does plug have known vulnerabilities?

Yes. plug has 1 known vulnerabilities. See depscope.dev/pkg/hex/plug for details.

What are alternatives to plug?

DepScope has no curated alternatives for plug at this time.

What license does plug use?

plug is licensed under Apache-2.0.

plug

hexv1.19.2deprecated

Compose web applications with functions

License Apache-2.0permissive120 versions4 maintainers0 deps337,293 weekly dl

elixir-plug/plug

/ 100

Health

find alternative

plug is deprecated — find an alternative

Update to >= 33858427c7f2737d560a2e40a0c9a9270d77d1d7 to fix known vulnerabilities

Moderate health score (53/100) — verify manually
1 high severity vulnerabilities
Package is deprecated

Health breakdown0 – 100

25/25

maintenance

14/20

popularity

20/25

security

15/15

maturity

9/15

community

Vulnerabilities

1 high

Advisories (1)

Severity	ID	Summary	Fixed in
high	CVE-2026-8468	Unbounded buffer accumulation in multipart header parsing causes denial of service in plug	33858427c7f2737d560a2e40a0c9a9270d77d1d7

OSS Scorecard

OpenSSF security posture score

3.8/10

weak

Maintainer trust

Active maintainers (3m)

5

Contributors (12m)

21

Primary author dominance

49%

GitHub stars

3,000

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/hex/plug

First published · 2014-04-23T18:58:52.000000Z

Last updated · 2026-05-14T09:20:07.319120Z