CVE-2025-70844

EUVD-2025-209275
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
kantorgeyaffa
2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844
https://github.com/kantorge/yaffa