CVE-2025-53528

Source
https://cve.org/CVERecord?id=CVE-2025-53528
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53528.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-53528
Aliases
Published
2025-07-21T20:15:17.464Z
Modified
2026-04-10T05:32:09.155125Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Cadwyn is vulnerable to an XSS attack through its docs page
Details

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53528.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/zmievsa/cadwyn

Affected ranges

Type
GIT
Repo
https://github.com/zmievsa/cadwyn
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*
0.3.0
1.*
1.3.2
3.*
3.10.0
3.10.1
3.11.0
3.11.1
3.12.0
3.12.1
3.13.0
3.14.0
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.6.4
3.6.5
3.6.6
3.7.0
3.7.1
3.8.0
3.9.0
3.9.1
4.*
4.0.0
4.1.0
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.4.5
4.5.0
4.6.0
5.*
5.0.0
5.0.0a1
5.1.0
5.1.0a1
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.3.3
5.4.1
5.4.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53528.json"