VYPR
Get started
← All advisories
Low severity2.3NVD Advisory· Published May 8, 2026· Updated May 16, 2026

CVE-2026-42794

CVE-2026-42794

Description

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.

'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.

This issue affects absinthe_plug: from 1.2.0 before 1.5.10.

Affected products

1

Patches

1
23a0d5658d32

fix: XSS vulnerability in GraphiQL js_escape function

https://github.com/absinthe-graphql/absinthe_plugLeandro MorenoApr 3, 2026via ghsa
commit
2 files changed · +26 2
  • lib/absinthe/plug/graphiql.ex+5 2 modified
    @@ -395,8 +395,11 @@ defmodule Absinthe.Plug.GraphiQL do
 
   defp js_escape(string) do
     string
-    |> String.replace(~r/\n/, "\\n")
-    |> String.replace(~r/'/, "\\'")
+    |> String.replace("\\", "\\\\")
+    |> String.replace("'", "\\'")
+    |> String.replace("\n", "\\n")
+    |> String.replace("\r", "\\r")
+    |> String.replace("</", "<\\/")
   end
 
   defp handle_default_headers(config, conn) do
  • test/lib/absinthe/graphiql_test.exs+21 0 modified
    @@ -232,6 +232,27 @@ defmodule Absinthe.Plug.GraphiQLTest do
     assert String.contains?(body, "defaultWebsocketUrl: ''")
   end
 
+  test "query parameter is properly escaped against XSS" do
+    opts = Absinthe.Plug.GraphiQL.init(schema: TestSchema)
+
+    # This payload would break out of a JS string if backslashes aren't escaped.
+    # Without the fix: xxx\');confirm(document.domain);// would close the string.
+    # With the fix: backslashes are escaped so the string stays intact.
+    xss_payload = "xxx\\');confirm(document.domain);//"
+
+    assert %{status: 200, resp_body: body} =
+             conn(:get, "/?query=#{URI.encode(xss_payload)}")
+             |> plug_parser
+             |> put_req_header("accept", "text/html")
+             |> Absinthe.Plug.GraphiQL.call(opts)
+
+    # The payload must NOT appear as unquoted JS code.
+    # With proper escaping, the backslash before the quote is escaped (\\'),
+    # so the quote doesn't close the string and the code never executes.
+    # We check that the escaped version is present (backslash is doubled).
+    assert String.contains?(body, "xxx\\\\\\');confirm")
+  end
+
   defp plug_parser(conn) do
     opts =
       Plug.Parsers.init(

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.