cvedb.io
CVE-2025-57203
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2025-09-22T20:15:38.483 · Last modified 2026-06-17T09:42:56.143

Summary

MagicProject AI version 9.1 is affected by a Cross-Site Scripting (XSS) vulnerability within the chatbot generation feature available to authenticated admin users. The vulnerability resides in the prompt parameter submitted to the /dashboard/user/generator/generate-stream endpoint via a multipart/form-data POST request. Due to insufficient input sanitization, attackers can inject HTML-based JavaScript payloads. This payload is stored and rendered unsanitized in subsequent views, leading to execution in other users' browsers when they access affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The appl

Affected products

liquidlabs — magicai

Does this affect you?

Add your gear to cvedb and we'll alert you only when liquidlabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.