CVE-2025-53528 HIGH

CVE-2025-53528: Cadwyn is vulnerable to an XSS attack through its docs page

Vendor Zmievsa

Product cadwyn

Weakness CWE-79 · XSS

Published July 21, 2025

Last update July 23, 2025

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

Key dates

02Disclosure timeline

July 21, 2025 CVE published

July 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53528

Related vulnerabilities

04Related CVE

CVE-2025-10165 AP Background <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2308 ElementInvader Addons for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-5845 Affiliate Reviews <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via numColumns Parameter CVE-2025-8459 A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page CVE-2025-26870 WordPress JetEngine plugin <= 3.6.4.1 - Cross Site Scripting (XSS) vulnerability