CVE-2026-42794

Name of the Vulnerable Software and Affected Versions absinthe plug versions 1.2.0 through 1.10.1

Description Reflected cross-site scripting is possible via the GraphiQL interface. The js escape/1 function in lib/absinthe/plug/graphiql.ex fails to escape backslashes when processing the query GET parameter before embedding it in an inline JavaScript string. An attacker can bypass existing escaping for single quotes and newlines by prefixing a quote with a backslash, allowing the execution of arbitrary JavaScript in the victim's browser.

Recommendations Update to version 1.10.2.