High severity7.6OSV Advisory· Published Jul 21, 2025· Updated Apr 15, 2026

CVE-2025-53528

Description

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cadwynPyPI	< 5.4.3	5.4.3

Affected products

Zmievsa/CadwynOSV
Range: 0.3.0, 1.3.2, 3.10.0, …

Patches

b424ecd57cd8

Fix reported vulnerability (#290)

https://github.com/zmievsa/cadwynStanislav ZmievJul 5, 2025via ghsa

commit

5 files changed · +12 −5

.all-contributorsrc+1 −1 modified

@@ -1,4 +1,4 @@
 {
     "projectName": "cadwyn",
     "projectOwner": "zmievsa"
-}
\ No newline at end of file
+}

cadwyn/applications.py+3 −2 modified

@@ -5,6 +5,7 @@
 from logging import getLogger
 from pathlib import Path
 from typing import TYPE_CHECKING, Annotated, Any, Optional, Union, cast
+from urllib.parse import quote
 
 import fastapi
 from fastapi import APIRouter, FastAPI, HTTPException, routing
@@ -389,7 +390,7 @@ async def swagger_dashboard(self, req: Request) -> Response:
 
         if version:
             root_path = self._extract_root_path(req)
-            openapi_url = root_path + f"{self.openapi_url}?version={version}"
+            openapi_url = root_path + f"{self.openapi_url}?version={quote(version, safe='')}"
             oauth2_redirect_url = self.swagger_ui_oauth2_redirect_url
             if oauth2_redirect_url:
                 oauth2_redirect_url = root_path + oauth2_redirect_url
@@ -407,7 +408,7 @@ async def redoc_dashboard(self, req: Request) -> Response:
 
         if version:
             root_path = self._extract_root_path(req)
-            openapi_url = root_path + f"{self.openapi_url}?version={version}"
+            openapi_url = root_path + f"{self.openapi_url}?version={quote(version, safe='')}"
             return get_redoc_html(openapi_url=openapi_url, title=f"{self.title} - ReDoc")
 
         return self._render_docs_dashboard(req, docs_url=cast("str", self.redoc_url))

CHANGELOG.md+6 −0 modified

@@ -5,6 +5,12 @@ Please follow [the Keep a Changelog standard](https://keepachangelog.com/en/1.0.
 
 ## [Unreleased]
 
+## [5.4.3]
+
+### Fixed
+
+* XSS vulnerability in `/docs` and `/redoc` endpoints where the `version` parameter was not properly sanitized, allowing potential cross-site scripting attacks
+
 ## [5.4.2]
 
 ### Fixed

pyproject.toml+1 −1 modified

@@ -1,6 +1,6 @@
 [project]
 name = "cadwyn"
-version = "5.4.2"
+version = "5.4.3"
 description = "Production-ready community-driven modern Stripe-like API versioning in FastAPI"
 authors = [{ name = "Stanislav Zmiev", email = "zmievsa@gmail.com" }]
 license = "MIT"

uv.lock+1 −1 modified

@@ -98,7 +98,7 @@ wheels = [
 
 [[package]]
 name = "cadwyn"
-version = "5.4.2"
+version = "5.4.3"
 source = { editable = "." }
 dependencies = [
     { name = "backports-strenum", marker = "python_full_version < '3.11'" },

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.494
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000