EUVD-2025-209275

| CVE-2025-70844 MEDIUM
2026-04-07 mitre GHSA-pq95-94c9-j987
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2025-209275
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 00:00 nvd
MEDIUM 6.1

Tags

RCE XSS Code Injection N A

Description

yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page.

Analysis

Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.

Technical Context

This vulnerability stems from improper input validation and output encoding in the account-group management feature of yaffa, a web application. The root cause is classified under CWE-94 (Code Injection), indicating that user-supplied input is processed without adequate sanitization before being rendered in the HTML context. The attack vector is network-based with low complexity, requiring only that an attacker craft a malicious account group name containing JavaScript payload; the application then stores and reflects this payload to subsequent users viewing the account group listing. No specific authentication is required to exploit the vulnerability (PR:N per CVSS vector), though successful exploitation depends on UI interaction from a victim user.

Affected Products

yaffa version 2.0.0 is affected. The CPE data provided (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) does not contain vendor-specific product identifiers, suggesting the CVE record may lack complete classification. The primary source repository is available at https://github.com/kantorge/yaffa, and vulnerability details are documented in NIST NVD at https://nvd.nist.gov/vuln/detail/CVE-2025-70844.

Remediation

Update yaffa to a patched version released after v2.0.0; specific patch version numbers are not provided in available advisory data. As an interim control, implementers should apply input validation and output encoding on the 'Add Account Group' function to sanitize or escape JavaScript special characters and HTML entities before storage and rendering. Content Security Policy (CSP) headers can be implemented to restrict script execution context. Consult the project repository at https://github.com/kantorge/yaffa for patch availability and release notes, and monitor the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-70844 for remediation guidance.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

EUVD-2025-209275 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy