CVE-2026-42794 Cna CVE debrief

Who should care

Teams running Elixir applications that expose Absinthe GraphiQL to browsers should review this promptly, especially if GraphiQL is reachable by untrusted users or used in production, staging, or shared internal environments.

Technical summary

The issue is a CWE-79 reflected XSS in the GraphiQL page generation path. When the query GET parameter is interpolated into an inline JavaScript string, js_escape/1 handles quotes and newlines but omits backslashes. A crafted value can use a backslash before a quote to escape the intended string literal and inject script execution. The CNA advisory and linked upstream references identify absinthe_plug versions from 1.2.0 before 1.5.10 as affected.

Defensive priority

Low, with faster attention if GraphiQL is exposed to non-trusted users or used in a browser context where session or administrative privileges matter.

Recommended defensive actions

• Upgrade absinthe_plug to 1.5.10 or later.
• If you maintain a pinned or forked version, backport the upstream escaping fix from the referenced commit.
• Review whether GraphiQL is exposed in any environment reachable by untrusted browsers and restrict access where practical.
• Validate that any custom inline JavaScript rendering paths do not embed unsafely escaped user input.

Evidence notes

This debrief is grounded in the supplied CNA advisory, the upstream issue and fix commit, the OSV record, and the NVD-modified source item. The CVE was published on 2026-05-08 and the provided source item shows NVD status as 'Awaiting Analysis' as of 2026-05-16. No exploit code or reproduction instructions are included.

Official resources