CVE-2025-49126 HIGH

CVE-2025-49126: Visionatrix Vulnerable to Reflected XSS Leading to Exfiltration of Secrets

Vendor Visionatrix
Product Visionatrix
Weakness CWE-79 · XSS
Published June 23, 2025
Last update June 23, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments. Any user of this application can be targeted with a one-click attack that can takeover their session and all the secrets that may be contained within it. This issue has been patched in version 2.5.1.

Key dates

02Disclosure timeline

June 23, 2025 CVE published
June 23, 2025 Record updated