Skip to main content

Absinthe Plug

1 CVEs product

Monthly

CVE-2026-42794 LOW PATCH Monitor

Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).

XSS Absinthe Plug
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Reflected cross-site scripting (XSS) in absinthe_plug GraphiQL interface allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers via the query GET parameter. The vulnerability exploits incomplete input escaping in the js_escape/1 function, which fails to escape backslashes before embedding user-controlled query strings into inline JavaScript. An attacker can bypass existing single-quote and newline escaping by prefixing a quote with a backslash (e.g., \'), breaking out of the string context. Vendor-released patch available (version 1.10.2 and later); exploitation requires user interaction (clicking a malicious link).

XSS Absinthe Plug
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy