Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments. Any user of this application can be targeted with a one-click attack that can takeover their session and all the secrets that may be contained within it. This issue has been patched in version 2.5.1.
AnalysisAI
Visionatrix versions 1.5.0 through 2.5.0 contain a Reflected XSS vulnerability in the /docs/flows endpoint that allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers. The vulnerability stems from improper use of FastAPI's get_swagger_ui_html function with unsanitized user-controlled input, enabling session hijacking and exfiltration of application secrets. The CVSS 8.8 score reflects high severity due to network accessibility, low attack complexity, and no privilege requirements, though user interaction is required to trigger the exploit.
Technical ContextAI
Visionatrix is an AI media processing application built on ComfyUI that uses FastAPI for its REST API and Swagger UI for API documentation. The vulnerability exists in the /docs/flows endpoint implementation, which improperly invokes FastAPI's get_swagger_ui_html() function without sanitizing arguments before HTML generation. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: the function was designed for internal, trusted use and does not perform HTML encoding or input validation on its parameters. When user-controlled data (such as query parameters or path segments) is passed directly to get_swagger_ui_html(), it renders unencoded into the HTML document, allowing attackers to inject malicious JavaScript that executes in the victim's browser context with full access to session cookies, localStorage, and application state.
RemediationAI
Immediate patching is required: upgrade Visionatrix from any version in the range 1.5.0–2.5.0 to version 2.5.1 or later. This patch likely implements proper input sanitization (HTML encoding) or removes the use of unsanitized user input to get_swagger_ui_html(). Until patching is feasible: (1) Disable or restrict access to the /docs/flows endpoint via reverse proxy (nginx/Apache rules to block requests to /docs/flows); (2) Implement network-level access controls (firewall rules, WAF rules) to limit who can reach the application; (3) Use HTTP-only and Secure flags on session cookies to prevent JavaScript access (though this is only a partial mitigation for XSS-based exfiltration); (4) Monitor and rotate any secrets that may have been exposed if the application is already deployed. Apply version 2.5.1 as the definitive fix. Check vendor repository/release notes (likely GitHub Visionatrix project) for patch details and upgrade procedures.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18919