Skip to main content

absinthe_plug CVE-2026-42794

| EUVDEUVD-2026-28799 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 EEF GHSA-c62g-j346-39v5
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 08, 2026 - 16:33 vuln.today
Analysis Generated
May 08, 2026 - 16:33 vuln.today
CVSS changed
May 08, 2026 - 16:22 NVD
2.3 (LOW)
CVE Published
May 08, 2026 - 15:42 nvd
LOW 2.3

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.

'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.

This issue affects absinthe_plug: from 1.2.0 before 1.10.2.

AnalysisAI

Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).

Technical ContextAI

absinthe_plug is an Elixir/Phoenix integration library for the Absinthe GraphQL server. The vulnerability exists in the GraphiQL web-based IDE, which accepts GraphQL query strings via the query GET parameter and embeds them directly into inline JavaScript for client-side initialization. The js_escape/1 function in lib/absinthe/plug/graphiql.ex attempts to sanitize these parameters by escaping single quotes (') and newlines (\n), but fails to escape backslashes (\). This is a classic JavaScript string escape vulnerability: in JavaScript string literals delimited by single quotes, a backslash followed by a quote (\') is interpreted as an escaped quote character (literal '), not a backslash followed by a quote-that-closes-the-string. By not pre-escaping backslashes, an attacker can inject \') to produce a closing quote followed by code injection. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the failure to apply sufficient output encoding to user-controlled data before inserting it into a dynamic JavaScript context.

RemediationAI

Upgrade absinthe_plug to version 1.10.2 or later immediately. The patched version corrects the js_escape/1 function to escape backslashes first (before single quotes and newlines), preventing the bypass technique described. To verify the patch, inspect that lib/absinthe/plug/graphiql.ex includes backslash escaping as the first replacement operation in the chain. For teams unable to upgrade immediately, a compensating control is to restrict access to the GraphiQL endpoint (typically at /_graphiql or /graphiql) to authenticated users or internal networks only, using web server firewall rules or reverse proxy authentication. This eliminates the ability for unauthenticated external attackers to inject malicious URLs, though it does not fix the underlying escaping bug. A second compensating control is to disable the GraphiQL interface entirely in production environments via the Absinthe.Plug configuration (enabled: false or similar), reserving it for development only; this is a best practice regardless. The patch has no known side effects and includes additional hardening (carriage return and </ escaping) that improves overall robustness. Patch commit: https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963.

Share

CVE-2026-42794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy