Unknown · Absinthe Plug · CVE-2026-42794
**Name of the Vulnerable Software and Affected Versions**
absinthe plug versions 1.2.0 through 1.10.1
**Description**
Reflected cross-site scripting is possible via the GraphiQL interface. The `js escape/1` function in `lib/absinthe/plug/graphiql.ex` fails to escape backslashes when processing the `query` GET parameter before embedding it in an inline JavaScript string. An attacker can bypass existing escaping for single quotes and newlines by prefixing a quote with a backslash, allowing the execution of arbitrary JavaScript in the victim's browser.
**Recommendations**
Update to version 1.10.2.