{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T16:34:36.711","vulnerabilities":[{"cve":{"id":"CVE-2025-49126","sourceIdentifier":"security-advisories@github.com","published":"2025-06-23T18:15:21.517","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments. Any user of this application can be targeted with a one-click attack that can takeover their session and all the secrets that may be contained within it. This issue has been patched in version 2.5.1."},{"lang":"es","value":"Visionatrix es una herramienta de procesamiento de medios de IA que utiliza ComfyUI. En las versiones 1.5.0 y anteriores a la 2.5.1, el endpoint /docs/flows es vulnerable a un ataque XSS reflejado (Cross-Site Scripting), que permite el control total de la aplicación y la exfiltración de los secretos almacenados en ella. La implementación utiliza la función get_swagger_ui_html de FastAPI. Esta función no codifica ni depura sus argumentos antes de usarlos para generar el HTML de la página de documentación de Swagger y no está diseñada para usarse con argumentos controlados por el usuario. Cualquier usuario de esta aplicación puede ser objeto de un ataque de un solo clic que puede controlar su sesión y todos los secretos que contenga. Este problema se ha corregido en la versión 2.5.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.3}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/Visionatrix/Visionatrix/commit/63aafe6e4d1bffe4bf69e73b6fdfc65c71a8f5b8","source":"security-advisories@github.com"},{"url":"https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v","source":"security-advisories@github.com"}]}}]}