Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities by absinthe-graphql

    CVE-2026-43967 (GCVE-0-2026-43967)

    Vulnerability from nvd – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
    VLAI
    Title
    Quadratic fragment-name uniqueness check causes denial of service in absinthe
    Summary
    Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe Affected: 1.2.0 , < 1.10.2 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe Affected: 0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d (git)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Curtis Schiewek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-43967",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:07:01.053904Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:07:10.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
              ],
              "packageName": "absinthe",
              "packageURL": "pkg:hex/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.10.2",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe",
              "packageURL": "pkg:github/absinthe-graphql/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "223600c520493dcaf95080af552c413099f92c9d",
                  "status": "affected",
                  "version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.10.2",
                      "versionStartIncluding": "1.2.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Curtis Schiewek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
                }
              ],
              "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407 Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T04:18:14.810Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-43967",
        "datePublished": "2026-05-08T15:42:34.347Z",
        "dateReserved": "2026-05-04T18:23:25.573Z",
        "dateUpdated": "2026-05-09T04:18:14.810Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42794 (GCVE-0-2026-42794)

    Vulnerability from nvd – Published: 2026-05-08 15:42 – Updated: 2026-05-16 10:21
    VLAI
    Title
    Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe_plug Affected: 1.2.0 , < 1.5.10 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe_plug Affected: 26241817cb4b9be4de3f5972c5fba3d36de3d713 , < 23a0d5658d32420086711adf4ce8f05febb09963 (git)
        cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    40826d Bryan A. Enders Leandro Moreno Ben Wilson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42794",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:07:51.313563Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:08:26.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
              ],
              "packageName": "absinthe_plug",
              "packageURL": "pkg:hex/absinthe_plug",
              "product": "absinthe_plug",
              "programFiles": [
                "lib/absinthe/plug/graphiql.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe_plug",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.5.10",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe_plug",
              "packageURL": "pkg:github/absinthe-graphql/absinthe_plug",
              "product": "absinthe_plug",
              "programFiles": [
                "lib/absinthe/plug/graphiql.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe_plug",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "23a0d5658d32420086711adf4ce8f05febb09963",
                  "status": "affected",
                  "version": "26241817cb4b9be4de3f5972c5fba3d36de3d713",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must mount \u003ctt\u003eAbsinthe.Plug.GraphiQL\u003c/tt\u003e on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
                }
              ],
              "value": "The application must mount Absinthe.Plug.GraphiQL on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.5.10",
                      "versionStartIncluding": "1.2.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "40826d"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Bryan A. Enders"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Leandro Moreno"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ben Wilson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1\u003c/tt\u003e in \u003ctt\u003elib/absinthe/plug/graphiql.ex\u003c/tt\u003e escapes single quotes and newlines in the \u003ctt\u003equery\u003c/tt\u003e GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \u003ctt\u003e\\\u0027\u003c/tt\u003e), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe_plug: from 1.2.0 before 1.5.10.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\n\n\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \\\u0027), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\n\nThis issue affects absinthe_plug: from 1.2.0 before 1.5.10."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-86",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-86 XSS Using HTTP Query Strings"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-16T10:21:31.067Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-42794.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42794"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-42794",
        "datePublished": "2026-05-08T15:42:40.706Z",
        "dateReserved": "2026-04-29T18:06:33.251Z",
        "dateUpdated": "2026-05-16T10:21:31.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42793 (GCVE-0-2026-42793)

    Vulnerability from nvd – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
    VLAI
    Title
    Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe Affected: 1.5.0 , < 1.10.2 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe Affected: d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838 (git)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Curtis Schiewek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42793",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:09:01.643983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:09:11.643Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
              ],
              "packageName": "absinthe",
              "packageURL": "pkg:hex/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/language/directive_definition.ex",
                "lib/absinthe/language/enum_type_definition.ex",
                "lib/absinthe/language/field_definition.ex",
                "lib/absinthe/language/input_object_type_definition.ex",
                "lib/absinthe/language/input_value_definition.ex",
                "lib/absinthe/language/interface_type_definition.ex",
                "lib/absinthe/language/object_type_definition.ex",
                "lib/absinthe/language/scalar_type_definition.ex",
                "lib/absinthe/language/union_type_definition.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.10.2",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe",
              "packageURL": "pkg:github/absinthe-graphql/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/language/directive_definition.ex",
                "lib/absinthe/language/enum_type_definition.ex",
                "lib/absinthe/language/field_definition.ex",
                "lib/absinthe/language/input_object_type_definition.ex",
                "lib/absinthe/language/input_value_definition.ex",
                "lib/absinthe/language/interface_type_definition.ex",
                "lib/absinthe/language/object_type_definition.ex",
                "lib/absinthe/language/scalar_type_definition.ex",
                "lib/absinthe/language/union_type_definition.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
                  "status": "affected",
                  "version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.10.2",
                      "versionStartIncluding": "1.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Curtis Schiewek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T12:41:41.873Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-42793",
        "datePublished": "2026-05-08T15:42:46.101Z",
        "dateReserved": "2026-04-29T18:06:33.251Z",
        "dateUpdated": "2026-05-09T12:41:41.873Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42793 (GCVE-0-2026-42793)

    Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
    VLAI
    Title
    Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe Affected: 1.5.0 , < 1.10.2 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe Affected: d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838 (git)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Curtis Schiewek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42793",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:09:01.643983Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:09:11.643Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
              ],
              "packageName": "absinthe",
              "packageURL": "pkg:hex/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/language/directive_definition.ex",
                "lib/absinthe/language/enum_type_definition.ex",
                "lib/absinthe/language/field_definition.ex",
                "lib/absinthe/language/input_object_type_definition.ex",
                "lib/absinthe/language/input_value_definition.ex",
                "lib/absinthe/language/interface_type_definition.ex",
                "lib/absinthe/language/object_type_definition.ex",
                "lib/absinthe/language/scalar_type_definition.ex",
                "lib/absinthe/language/union_type_definition.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.10.2",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
                "\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe",
              "packageURL": "pkg:github/absinthe-graphql/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/language/directive_definition.ex",
                "lib/absinthe/language/enum_type_definition.ex",
                "lib/absinthe/language/field_definition.ex",
                "lib/absinthe/language/input_object_type_definition.ex",
                "lib/absinthe/language/input_value_definition.ex",
                "lib/absinthe/language/interface_type_definition.ex",
                "lib/absinthe/language/object_type_definition.ex",
                "lib/absinthe/language/scalar_type_definition.ex",
                "lib/absinthe/language/union_type_definition.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
                  "status": "affected",
                  "version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.10.2",
                      "versionStartIncluding": "1.5.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Curtis Schiewek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T12:41:41.873Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-42793",
        "datePublished": "2026-05-08T15:42:46.101Z",
        "dateReserved": "2026-04-29T18:06:33.251Z",
        "dateUpdated": "2026-05-09T12:41:41.873Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42794 (GCVE-0-2026-42794)

    Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-16 10:21
    VLAI
    Title
    Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe_plug Affected: 1.2.0 , < 1.5.10 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe_plug Affected: 26241817cb4b9be4de3f5972c5fba3d36de3d713 , < 23a0d5658d32420086711adf4ce8f05febb09963 (git)
        cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    40826d Bryan A. Enders Leandro Moreno Ben Wilson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42794",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:07:51.313563Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:08:26.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
              ],
              "packageName": "absinthe_plug",
              "packageURL": "pkg:hex/absinthe_plug",
              "product": "absinthe_plug",
              "programFiles": [
                "lib/absinthe/plug/graphiql.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe_plug",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.5.10",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe_plug",
              "packageURL": "pkg:github/absinthe-graphql/absinthe_plug",
              "product": "absinthe_plug",
              "programFiles": [
                "lib/absinthe/plug/graphiql.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe_plug",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "23a0d5658d32420086711adf4ce8f05febb09963",
                  "status": "affected",
                  "version": "26241817cb4b9be4de3f5972c5fba3d36de3d713",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The application must mount \u003ctt\u003eAbsinthe.Plug.GraphiQL\u003c/tt\u003e on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
                }
              ],
              "value": "The application must mount Absinthe.Plug.GraphiQL on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.5.10",
                      "versionStartIncluding": "1.2.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "40826d"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Bryan A. Enders"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Leandro Moreno"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Ben Wilson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1\u003c/tt\u003e in \u003ctt\u003elib/absinthe/plug/graphiql.ex\u003c/tt\u003e escapes single quotes and newlines in the \u003ctt\u003equery\u003c/tt\u003e GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \u003ctt\u003e\\\u0027\u003c/tt\u003e), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe_plug: from 1.2.0 before 1.5.10.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\n\n\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \\\u0027), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\n\nThis issue affects absinthe_plug: from 1.2.0 before 1.5.10."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-86",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-86 XSS Using HTTP Query Strings"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-16T10:21:31.067Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-42794.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42794"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-42794",
        "datePublished": "2026-05-08T15:42:40.706Z",
        "dateReserved": "2026-04-29T18:06:33.251Z",
        "dateUpdated": "2026-05-16T10:21:31.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-43967 (GCVE-0-2026-43967)

    Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
    VLAI
    Title
    Quadratic fragment-name uniqueness check causes denial of service in absinthe
    Summary
    Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    absinthe-graphql absinthe Affected: 1.2.0 , < 1.10.2 (semver)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    absinthe-graphql absinthe Affected: 0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d (git)
        cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Curtis Schiewek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-43967",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T16:07:01.053904Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T16:07:10.322Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
              ],
              "packageName": "absinthe",
              "packageURL": "pkg:hex/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "1.10.2",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
              ],
              "packageName": "absinthe-graphql/absinthe",
              "packageURL": "pkg:github/absinthe-graphql/absinthe",
              "product": "absinthe",
              "programFiles": [
                "lib/absinthe/phase/document/validation/unique_fragment_names.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
                },
                {
                  "name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
                }
              ],
              "repo": "https://github.com/absinthe-graphql/absinthe",
              "vendor": "absinthe-graphql",
              "versions": [
                {
                  "lessThan": "223600c520493dcaf95080af552c413099f92c9d",
                  "status": "affected",
                  "version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "1.10.2",
                      "versionStartIncluding": "1.2.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Curtis Schiewek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
                }
              ],
              "value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407 Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T04:18:14.810Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-43967",
        "datePublished": "2026-05-08T15:42:34.347Z",
        "dateReserved": "2026-05-04T18:23:25.573Z",
        "dateUpdated": "2026-05-09T04:18:14.810Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }