Home

Description

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0.

PUBLISHED Reserved 2026-04-29 | Published 2026-05-08 | Updated 2026-05-08 | Assigner EEF




LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

1.2.0 (semver) before *
affected

Default status
unaffected

26241817cb4b9be4de3f5972c5fba3d36de3d713 (git) before 23a0d5658d32420086711adf4ce8f05febb09963
affected

Credits

40826d finder

Bryan A. Enders finder

Leandro Moreno remediation developer

Ben Wilson remediation reviewer

References

github.com/absinthe-graphql/absinthe_plug/issues/275 exploit

github.com/absinthe-graphql/absinthe_plug/issues/275 vendor-advisory

cna.erlef.org/cves/CVE-2026-42794.html related

osv.dev/vulnerability/EEF-CVE-2026-42794 related

github.com/...ommit/23a0d5658d32420086711adf4ce8f05febb09963 patch

cve.org (CVE-2026-42794)

nvd.nist.gov (CVE-2026-42794)

Download JSON