CVE-2026-42794
Analyzed Analyzed - Analysis Complete
Reflected XSS in Absinthe Plug GraphiQL Interface

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: EEF

Description
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42794
EUVD
EUVD-2026-28799
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
absinthe-graphql absinthe.plug From 1.2.0 (inc) to 1.5.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in the absinthe-graphql absinthe_plug library, specifically in the GraphiQL interface. The function responsible for escaping input before embedding it in JavaScript strings escapes single quotes and newlines but fails to escape backslashes. An attacker can exploit this by prefixing a quote with a backslash, which breaks out of the intended string context and allows execution of arbitrary JavaScript code in the victim's browser.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a victim's browser when they interact with the vulnerable GraphiQL interface. This can lead to theft of sensitive information such as cookies or session tokens, manipulation of the web page content, or performing actions on behalf of the victim, potentially compromising user accounts or data.

Mitigation Strategies

Immediate mitigation steps include updating the absinthe_plug library to a version that includes the fix for this vulnerability, which properly escapes backslashes in the js_escape function.

If updating is not immediately possible, restrict or disable access to the GraphiQL interface in production environments, as it is typically a developer tool and can be exploited if exposed.

Implementing a Content Security Policy (CSP) can also help mitigate the impact of XSS vulnerabilities by restricting the execution of unauthorized scripts.

Compliance Impact

The CVE-2026-42794 vulnerability is a reflected cross-site scripting (XSS) issue that allows execution of arbitrary JavaScript in a victim's browser via the GraphiQL interface of absinthe_plug. Such XSS vulnerabilities can lead to unauthorized access to user data or session hijacking.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could potentially lead to unauthorized disclosure of personal or sensitive information, thereby impacting compliance.

Mitigation involves updating to a patched version and restricting or disabling the GraphiQL interface in production environments to reduce exposure.

Detection Guidance

This vulnerability can be detected by testing the GraphiQL interface of the absinthe_plug library for reflected cross-site scripting (XSS) via the 'query' GET parameter.

You can attempt to inject a payload that uses a backslash before a quote (e.g., \') in the 'query' parameter to see if it breaks out of the JavaScript string context and executes arbitrary JavaScript.

For example, you can use curl or a browser to send a request like:

  • curl -v 'http://yourserver/graphiql?query=\'alert(document.domain)//'

If the response includes the injected script executing or reflected unescaped in the inline JavaScript, the vulnerability is present.

Additionally, monitoring HTTP traffic for suspicious query parameters containing backslash-escaped quotes in GraphiQL requests may help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart