CVE-2026-42794 is a reflected cross-site scripting issue in absinthe_plug’s GraphiQL interface. The flaw is in js_escape/1, which escapes single quotes and newlines in the query GET parameter before embedding it in inline JavaScript, but does not escape backslashes. That leaves the string context breakable with a backslash-prefixed quote, allowing attacker-controlled JavaScript to run in a victim’s browse [truncated]
CVE-2026-42793 is an unauthenticated denial-of-service issue in absinthe-graphql Absinthe. When attacker-controlled GraphQL SDL is parsed, multiple Blueprint.Draft.convert/2 paths call String.to_atom/1 on untrusted names such as directive, field, type, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit, repeated unique names can permanently consume atom [truncated]
