Vulnerability Summary: CVE-2026-42794 Vulnerability Overview Vulnerability Name: Reflected XSS caused by backslash bypass in GraphiQL CVE ID: CVE-2026-42794 CVSS Score: 2.3 (Low) Vulnerability Type: CWE-79 (Cross-Site Scripting) Description: In and , the function fails to escape backslashes when escaping single quotes and newline characters. An attacker can escape the string context by prefixing the query GET parameter with a backslash (e.g., ), thereby executing arbitrary JavaScript code in the victim's browser. Affected Scope Affected Module: Affected File: Affected Versions: version 1.2.0 and above version 20241017cb and above Configuration Requirements: The application must mount on a route accessible by untrusted users. Remediation Status: Fixed Fixed Versions: : An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. ), breaking out of the string context and executing arbitrary JavaScript code in the victim's browser. This implies that in the GET parameters of a GraphQL query, escaping can be bypassed by prefixing with a backslash, for example: (The specific payload needs to be constructed based on the actual GraphQL query structure.)