Description

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.10.2.

INFO

Published Date :

2026-05-08T15:42:40.706Z

Last Modified :

2026-05-08T16:08:26.818Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42794 vulnerability.

Vendors Products
Absinthe-graphql
  • Absinthe Plug
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42794.

URL Resource
https://cna.erlef.org/cves/CVE-2026-42794.html cve-icon cve-icon
https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963 cve-icon cve-icon
https://github.com/absinthe-graphql/absinthe_plug/issues/275 cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-42794 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability