Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Summary
| CVE | CVE-2026-42794 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-08 16:16:12 UTC |
| Updated | 2026-05-08 17:16:31 UTC |
| Description | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0. |
Risk And Classification
Primary CVSS: v4.0 2.3 LOW from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
PassiveConfidentiality
LowIntegrity
LowAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Absinthe-graphql | Absinthe Plug | affected 1.2.0 * semver | Not specified |
| CNA | Absinthe-graphql | Absinthe Plug | affected 26241817cb4b9be4de3f5972c5fba3d36de3d713 23a0d5658d32420086711adf4ce8f05febb09963 git | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/absinthe-graphql/absinthe_plug/issues/275 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| osv.dev/vulnerability/EEF-CVE-2026-42794 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| cna.erlef.org/cves/CVE-2026-42794.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711ad... | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: 40826d (en)
CNA: Bryan A. Enders (en)
CNA: Leandro Moreno (en)
CNA: Ben Wilson (en)
There are currently no legacy QID mappings associated with this CVE.