{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53528", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-02T15:15:11.514Z", "datePublished": "2025-07-21T20:15:17.464Z", "dateUpdated": "2025-07-23T15:01:36.184Z"}, "containers": {"cna": {"title": "Cadwyn is vulnerable to an XSS attack through its docs page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"}, {"name": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728", "tags": ["x_refsource_MISC"], "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"}], "affected": [{"vendor": "zmievsa", "product": "cadwyn", "versions": [{"version": "< 5.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-23T15:01:36.184Z"}, "descriptions": [{"lang": "en", "value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."}], "source": {"advisory": "GHSA-2gxp-6r36-m97r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-22T19:55:33.509222Z", "id": "CVE-2025-53528", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T19:55:52.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53528", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-22T19:55:33.509222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T19:55:41.448Z"}}], "cna": {"title": "Cadwyn is vulnerable to an XSS attack through its docs page", "source": {"advisory": "GHSA-2gxp-6r36-m97r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zmievsa", "product": "cadwyn", "versions": [{"status": "affected", "version": "< 5.4.3"}]}], "references": [{"url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r", "name": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728", "name": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-23T15:01:36.184Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53528", "state": "PUBLISHED", "dateUpdated": "2025-07-23T15:01:36.184Z", "dateReserved": "2025-07-02T15:15:11.514Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-21T20:15:17.464Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the \"/docs\" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3."}, {"lang": "es", "value": "Cadwyn crea un control de versiones de API moderno, similar a Stripe, basado en la comunidad y listo para producci\u00f3n en FastAPI. En las versiones 5.4.3 y anteriores, el par\u00e1metro de versi\u00f3n del endpoint \"/docs\" es vulnerable a un ataque XSS reflejado (Cross-Site Scripting). Este XSS permitir\u00eda a un atacante ejecutar c\u00f3digo JavaScript en la sesi\u00f3n de un usuario para cualquier aplicaci\u00f3n basada en Cadwyn mediante un ataque de un solo clic. La vulnerabilidad se ha corregido en la versi\u00f3n 5.4.4."}], "id": "CVE-2025-53528", "lastModified": "2025-07-23T15:15:33.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-21T21:15:25.883", "references": [{"source": "[email protected]", "url": "https://github.com/zmievsa/cadwyn/commit/b424ecd57cd8dabbc8fe39b8f8ccafea629c7728"}, {"source": "[email protected]", "url": "https://github.com/zmievsa/cadwyn/security/advisories/GHSA-2gxp-6r36-m97r"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}

{}