CVE-2025-53528

Name of the Vulnerable Software and Affected Versions Cadwyn versions 5.4.3 and below

Description Cadwyn is a production-ready, community-driven, modern Stripe-like API versioning tool in FastAPI. The version parameter of the /docs endpoint is susceptible to a Reflected Cross-Site Scripting (XSS) attack. This allows an attacker to execute JavaScript code on a user's session via a one-click attack. The vulnerable code resides within the swagger dashboard and redoc dashboard functions, specifically utilizing the get swagger ui html function from FastAPI without proper encoding or sanitization of the version parameter. The user-controlled injection occurs within a <script> tag context.

Recommendations Cadwyn versions 5.4.3 and below: Upgrade to version 5.4.4 or later to resolve this issue.