CVE-2026-42794
MEDIUMReflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Title source: cnaDescription
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
https://github.com/absinthe-graphql/absinthe_plug/issues/275
Related related
https://cna.erlef.org/cves/CVE-2026-42794.html
Related related
https://osv.dev/vulnerability/EEF-CVE-2026-42794
Scores
CVSS v3
6.1
EPSS
0.0028
EPSS Percentile
19.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (5)
absinthe-graphql/absinthe.plug
1.2.0 - 1.5.10
absinthe-graphql/absinthe_plug
1.2.0
absinthe-graphql/absinthe_plug
1.2.0 - 1.5.10
absinthe-graphql/absinthe_plug
26241817cb4b9be4de3f5972c5fba3d36de3d713 - 23a0d5658d32420086711adf4ce8f05febb09963
Hex/absinthe_plug
1.2.0 - 1.5.9Hex
Published
May 08, 2026
Tracked Since
May 08, 2026