Absinthe Plug
Approved changes feed: RSS · Atom
cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Absinthe Graphql (7fddf56e-a0c2-5080-92c8-5e68f180248c) |
|---|---|
| Product | Absinthe Plug (f4823180-2b15-5591-b746-dc44dab17db7) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/absinthe-graphql/absinthe_plug |
purl2cpe | 2026-06-01 10:16:27.812639 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-42794 |
vulnerable | 2026-06-03 15:25:01.534741 |
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.
'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.
This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
Published: 2026-05-08T15:42:40.706Z
Updated: 2026-05-16T10:21:31.067Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.