Description
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.

'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.

This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
Published: 2026-05-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the GraphiQL interface of absinthe_plug. A crafted query string containing backslashes can bypass the existing JavaScript escaping, allowing an attacker to inject arbitrary JavaScript code that executes in the victim's browser when the query is echoed in an inline script. This flaw falls under CWE‑79 and can compromise confidentiality, integrity, and availability of user sessions by stealing credentials, defacing web pages, or manipulating the application logic.

Affected Systems

The affected product is absinthe_plug, which runs in Elixir/Absinthe GraphQL applications. Versions 1.2.0 through 1.5.9 are affected; 1.5.10 and later include the fix. The flaw is present in the js_escape/1 function in the GraphiQL module.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity from a technical standpoint, but the impact is localized to browsers that render the reflected input. The EPSS score is < 1%, a KEV flag is not set, and the vulnerability is not cataloged as a known exploited vulnerability. The attack vector is a reflected XSS that requires an attacker to lure a victim to a URL containing the malicious query string that includes a backslash‑escaped quote. No prerequisite server compromise is needed, and exploitation is possible only in environments where GraphiQL is exposed to untrusted users.

Generated by OpenCVE AI on May 16, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade absinthe_plug to the latest release that incorporates the fix for the js_escape backslash handling. The committed patch can be applied directly from the absinthe_plug repository if a newer release is not yet available.
  • If an immediate upgrade is not possible, disable the GraphiQL interface in production or restrict its access to a trusted subset of users, thereby preventing unfiltered query parameters from reaching the user interface.
  • Patch the js_escape/1 function to ensure backslashes are escaped before inclusion in inline scripts, or replace the function with a custom implementation that fully sanitizes all special characters.

Generated by OpenCVE AI on May 16, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c62g-j346-39v5 absinthe_plug Has a Cross-site Scripting vulnerability
History

Thu, 21 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Absinthe-graphql absinthe.plug
CPEs cpe:2.3:a:absinthe-graphql:absinthe.plug:*:*:*:*:*:*:*:*
Vendors & Products Absinthe-graphql absinthe.plug
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Sat, 16 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0. Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.5.10.

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.10.2. Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0.

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.10.2.
Title Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
First Time appeared Absinthe-graphql
Absinthe-graphql absinthe Plug
Weaknesses CWE-79
CPEs cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
Vendors & Products Absinthe-graphql
Absinthe-graphql absinthe Plug
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Absinthe-graphql Absinthe.plug Absinthe Plug
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-16T10:21:31.067Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42794

cve-icon Vulnrichment

Updated: 2026-05-08T16:08:18.115Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T16:16:12.750

Modified: 2026-05-21T18:51:38.287

Link: CVE-2026-42794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T11:30:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')