Reflected XSS in GraphQL Playground
Description
GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
graphql-playground-htmlnpm | < 1.6.22 | 1.6.22 |
Affected products
2- prisma-labs/graphql-playgroundv5Range: < 1.6.22
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4852-vrh7-28rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-4038ghsaADVISORY
- github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rfghsaWEB
- github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7ghsax_refsource_MISCWEB
- github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.