Description
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.

'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.

This issue affects absinthe_plug: from 1.2.0.
Published: 2026-05-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the GraphiQL interface of absinthe_plug. A crafted query string containing backslashes can bypass the existing JavaScript escaping, allowing an attacker to inject arbitrary JavaScript code that executes in the victim's browser when the query is echoed in an inline script. This flaw falls under CWE‑79 and can compromise confidentiality, integrity, and availability of user sessions by stealing credentials, defacing web pages, or manipulating the application logic.

Affected Systems

The affected product is absinthe_plug, which runs in Elixir/Absinthe GraphQL applications. Versions 1.2.0 and later are affected until the fix is applied. The flaw is present in the js_escape/1 function present in the GraphiQL module.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity from a technical standpoint, but the impact is localized to browsers that render the reflected input. The EPSS score is not available, a KEV flag is not set, and the vulnerability is not cataloged as a known exploited vulnerability. The attack vector is a reflected XSS that requires an attacker to lure a victim to a URL containing the malicious query string. No prerequisite server compromise is needed, and exploitation is possible only in environments where GraphiQL is exposed to untrusted users.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade absinthe_plug to the latest release that incorporates the fix for the js_escape backslash handling. The committed patch can be applied directly from the absinthe_plug repository if a newer release is not yet available.
  • If an immediate upgrade is not possible, disable the GraphiQL interface in production or restrict its access to a trusted subset of users, thereby preventing unfiltered query parameters from reaching the user interface.
  • Patch the js_escape/1 function to ensure backslashes are escaped before inclusion in inline scripts, or replace the function with a custom implementation that fully sanitizes all special characters.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.10.2. Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0.

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.10.2.
Title Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
First Time appeared Absinthe-graphql
Absinthe-graphql absinthe Plug
Weaknesses CWE-79
CPEs cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
Vendors & Products Absinthe-graphql
Absinthe-graphql absinthe Plug
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Absinthe-graphql Absinthe Plug
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-09T04:18:21.030Z

Reserved: 2026-04-29T18:06:33.251Z

Link: CVE-2026-42794

cve-icon Vulnrichment

Updated: 2026-05-08T16:08:18.115Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:12.750

Modified: 2026-05-08T17:16:31.700

Link: CVE-2026-42794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:20Z

Weaknesses