CVE-2025-49126 Visionatrix Vulnerable to Reflected XSS Leading to Exfiltration of Secrets

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation us...

CVE-2025-49126

Visionatrix is affected by a Reflected XSS in versions 1.5.0–2.5.0 (fixed in 2.5.1) via the "/docs/flows" endpoint. The root cause is the use of FastAPI’s get_swagger_ui_html without encoding or sanitizing user-controlled arguments, which is used to render the swagger docs. The vulnerability enab...

PT-2025-26621 · Unknown +1 · Visionatrix +1

Name of the Vulnerable Software and Affected Versions: Visionatrix versions 1.5.0 through 2.5.0 Description: The issue concerns a Reflected XSS Cross-Site Scripting attack via the "/docs/flows" endpoint, allowing full takeover of the application and exfiltration of secrets stored in the...