{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42793", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-04-29T18:06:33.251Z", "datePublished": "2026-05-08T15:42:46.101Z", "dateUpdated": "2026-05-09T12:41:41.873Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Absinthe.Language.DirectiveDefinition'", "'Elixir.Absinthe.Language.EnumTypeDefinition'", "'Elixir.Absinthe.Language.FieldDefinition'", "'Elixir.Absinthe.Language.InputObjectTypeDefinition'", "'Elixir.Absinthe.Language.InputValueDefinition'", "'Elixir.Absinthe.Language.InterfaceTypeDefinition'", "'Elixir.Absinthe.Language.ObjectTypeDefinition'", "'Elixir.Absinthe.Language.ScalarTypeDefinition'", "'Elixir.Absinthe.Language.UnionTypeDefinition'"], "packageName": "absinthe", "packageURL": "pkg:hex/absinthe", "product": "absinthe", "programFiles": ["lib/absinthe/language/directive_definition.ex", "lib/absinthe/language/enum_type_definition.ex", "lib/absinthe/language/field_definition.ex", "lib/absinthe/language/input_object_type_definition.ex", "lib/absinthe/language/input_value_definition.ex", "lib/absinthe/language/interface_type_definition.ex", "lib/absinthe/language/object_type_definition.ex", "lib/absinthe/language/scalar_type_definition.ex", "lib/absinthe/language/union_type_definition.ex"], "programRoutines": [{"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2"}], "repo": "https://github.com/absinthe-graphql/absinthe", "vendor": "absinthe-graphql", "versions": [{"lessThan": "1.10.2", "status": "affected", "version": "1.5.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Absinthe.Language.DirectiveDefinition'", "'Elixir.Absinthe.Language.EnumTypeDefinition'", "'Elixir.Absinthe.Language.FieldDefinition'", "'Elixir.Absinthe.Language.InputObjectTypeDefinition'", "'Elixir.Absinthe.Language.InputValueDefinition'", "'Elixir.Absinthe.Language.InterfaceTypeDefinition'", "'Elixir.Absinthe.Language.ObjectTypeDefinition'", "'Elixir.Absinthe.Language.ScalarTypeDefinition'", "'Elixir.Absinthe.Language.UnionTypeDefinition'"], "packageName": "absinthe-graphql/absinthe", "packageURL": "pkg:github/absinthe-graphql/absinthe", "product": "absinthe", "programFiles": ["lib/absinthe/language/directive_definition.ex", "lib/absinthe/language/enum_type_definition.ex", "lib/absinthe/language/field_definition.ex", "lib/absinthe/language/input_object_type_definition.ex", "lib/absinthe/language/input_value_definition.ex", "lib/absinthe/language/interface_type_definition.ex", "lib/absinthe/language/object_type_definition.ex", "lib/absinthe/language/scalar_type_definition.ex", "lib/absinthe/language/union_type_definition.ex"], "programRoutines": [{"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2"}], "repo": "https://github.com/absinthe-graphql/absinthe", "vendor": "absinthe-graphql", "versions": [{"lessThan": "dd842b938e3823f345c10416914ffab5d5536838", "status": "affected", "version": "d0eae7764520d4e8e5dfff619068c0de911aec33", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10.2", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Curtis Schiewek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.<p>Multiple <tt>Blueprint.Draft.convert/2</tt> implementations in Absinthe's SDL language modules call <tt>String.to_atom/1</tt> on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with <tt>system_limit</tt> and taking down the entire node.</p><p>Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.</p><p>This issue affects absinthe: from 1.5.0 before 1.10.2.</p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-09T12:41:41.873Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"}, {"tags": ["patch"], "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"}], "source": {"discovery": "EXTERNAL"}, "title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-08T16:09:01.643983Z", "id": "CVE-2026-42793", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-08T16:09:11.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42793", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-08T16:09:01.643983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-08T16:09:07.595Z"}}], "cna": {"title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Curtis Schiewek"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"], "repo": "https://github.com/absinthe-graphql/absinthe", "vendor": "absinthe-graphql", "modules": ["'Elixir.Absinthe.Language.DirectiveDefinition'", "'Elixir.Absinthe.Language.EnumTypeDefinition'", "'Elixir.Absinthe.Language.FieldDefinition'", "'Elixir.Absinthe.Language.InputObjectTypeDefinition'", "'Elixir.Absinthe.Language.InputValueDefinition'", "'Elixir.Absinthe.Language.InterfaceTypeDefinition'", "'Elixir.Absinthe.Language.ObjectTypeDefinition'", "'Elixir.Absinthe.Language.ScalarTypeDefinition'", "'Elixir.Absinthe.Language.UnionTypeDefinition'"], "product": "absinthe", "versions": [{"status": "affected", "version": "1.5.0", "lessThan": "1.10.2", "versionType": "semver"}], "packageURL": "pkg:hex/absinthe", "packageName": "absinthe", "programFiles": ["lib/absinthe/language/directive_definition.ex", "lib/absinthe/language/enum_type_definition.ex", "lib/absinthe/language/field_definition.ex", "lib/absinthe/language/input_object_type_definition.ex", "lib/absinthe/language/input_value_definition.ex", "lib/absinthe/language/interface_type_definition.ex", "lib/absinthe/language/object_type_definition.ex", "lib/absinthe/language/scalar_type_definition.ex", "lib/absinthe/language/union_type_definition.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2"}]}, {"cpes": ["cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"], "repo": "https://github.com/absinthe-graphql/absinthe", "vendor": "absinthe-graphql", "modules": ["'Elixir.Absinthe.Language.DirectiveDefinition'", "'Elixir.Absinthe.Language.EnumTypeDefinition'", "'Elixir.Absinthe.Language.FieldDefinition'", "'Elixir.Absinthe.Language.InputObjectTypeDefinition'", "'Elixir.Absinthe.Language.InputValueDefinition'", "'Elixir.Absinthe.Language.InterfaceTypeDefinition'", "'Elixir.Absinthe.Language.ObjectTypeDefinition'", "'Elixir.Absinthe.Language.ScalarTypeDefinition'", "'Elixir.Absinthe.Language.UnionTypeDefinition'"], "product": "absinthe", "versions": [{"status": "affected", "version": "d0eae7764520d4e8e5dfff619068c0de911aec33", "lessThan": "dd842b938e3823f345c10416914ffab5d5536838", "versionType": "git"}], "packageURL": "pkg:github/absinthe-graphql/absinthe", "packageName": "absinthe-graphql/absinthe", "programFiles": ["lib/absinthe/language/directive_definition.ex", "lib/absinthe/language/enum_type_definition.ex", "lib/absinthe/language/field_definition.ex", "lib/absinthe/language/input_object_type_definition.ex", "lib/absinthe/language/input_value_definition.ex", "lib/absinthe/language/interface_type_definition.ex", "lib/absinthe/language/object_type_definition.ex", "lib/absinthe/language/scalar_type_definition.ex", "lib/absinthe/language/union_type_definition.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected", "programRoutines": [{"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition':convert/2"}, {"name": "'Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition':convert/2"}]}], "references": [{"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-42793.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793", "tags": ["related"]}, {"url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2.", "supportingMedia": [{"type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.<p>Multiple <tt>Blueprint.Draft.convert/2</tt> implementations in Absinthe's SDL language modules call <tt>String.to_atom/1</tt> on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with <tt>system_limit</tt> and taking down the entire node.</p><p>Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.</p><p>This issue affects absinthe: from 1.5.0 before 1.10.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.10.2", "versionStartIncluding": "1.5.0"}], "operator": "OR"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-09T12:41:41.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42793", "state": "PUBLISHED", "dateUpdated": "2026-05-09T12:41:41.873Z", "dateReserved": "2026-04-29T18:06:33.251Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-05-08T15:42:46.101Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."}], "id": "CVE-2026-42793", "lastModified": "2026-05-13T15:57:03.607", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-05-08T16:16:12.550", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-42793.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0,1.10.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d0eae7764520d4e8e5dfff619068c0de911aec33,dd842b938e3823f345c10416914ffab5d5536838)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "absinthe", "vendor": "absinthe-graphql"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0,1.10.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "absinthe", "source": "cna", "vendor": "absinthe-graphql"}, "product": "absinthe", "vendor": "absinthe-graphql"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d0eae7764520d4e8e5dfff619068c0de911aec33,dd842b938e3823f345c10416914ffab5d5536838)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "absinthe", "source": "cna", "vendor": "absinthe-graphql"}, "product": "absinthe", "vendor": "absinthe-graphql"}], "created": "2026-05-08T17:45:13.102093+00:00", "updated": "2026-05-08T23:30:15.082860+00:00", "vendors": ["absinthe-graphql", "absinthe-graphql$PRODUCT$absinthe"]}