Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-42794

Severity CVSS v4.0:
LOW
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
08/05/2026
Last modified:
08/05/2026

Description

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.<br /> <br /> &amp;#39;Elixir.Absinthe.Plug.GraphiQL&amp;#39;:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \&amp;#39;), breaking out of the string context and executing arbitrary JavaScript in the victim&amp;#39;s browser.<br /> <br /> This issue affects absinthe_plug: from 1.2.0.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 2.30 LOW
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): None
User Interaction (UI): Passsive
Confidentiality (VC): Low
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0
2.30
Severity 4.0
LOW

References to Advisories, Solutions, and Tools