{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70844", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T13:59:20.267Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T16:29:24.142Z"}, "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/kantorge/yaffa"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:58:21.368298Z", "id": "CVE-2025-70844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:59:20.267Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:58:21.368298Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:58:43.232Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/kantorge/yaffa"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}], "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T16:29:24.142Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70844", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:59:20.267Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "id": "CVE-2025-70844", "lastModified": "2026-04-09T14:16:27.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T17:16:26.297", "references": [{"source": "cve@mitre.org", "url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}, {"source": "cve@mitre.org", "url": "https://github.com/kantorge/yaffa"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yaffa", "vendor": "kantorge"}], "analysis": {"en": {"generated_at": "2026-04-07T22:54:10.997465+00:00", "value": {"mitigation_remediation": ["Verify whether a newer Yaffa release contains a fix; if so, upgrade immediately.", "If an upgrade is not yet available, implement server\u2011side input validation and output escaping for the Add Account Group form.", "Add a Content Security Policy header to restrict script execution to trusted sources.", "Restrict access to the account\u2011group page to users with appropriate permissions.", "Monitor for abnormal JavaScript activity in client browsers."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Script Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the open\u2011source Yaffa web application, specifically in version 2.0.0. No other versions have been reported to be affected, and the vendor or CNA name is not identified in the advisory.", "description_and_impact": "Yaffa version 2.0.0 is susceptible to cross\u2011site scripting when users add an account group. The input that is submitted through the add\u2011account\u2011group form is rendered without any sanitization, enabling an attacker to embed malicious JavaScript that executes in the browser context of anyone who views the affected account\u2011group page. This flaw allows arbitrary code to run with the same privileges as the visitor, potentially enabling session hijacking, credential theft, or further compromise of the system through additional web\u2011based attacks.", "risk_and_exploitability": "Because the flaw permits execution of arbitrary script, the risk is high; the potential impact extends to confidentiality, integrity, and availability of the presenting users\u2019 sessions. No CVSS score is given, but XSS vulnerabilities are widely exploited. Exploitation would most likely occur via a web browser that renders the account\u2011group page, and may require the attacker to obtain or forge inputs through the add\u2011account\u2011group interface. No EPSS data is available, but the commonness of XSS suggests a reasonable likelihood of exploitation."}}}}, "created": "2026-04-08T19:50:17.215915+00:00", "title": "Cross Site Scripting in Yaffa \"Add Account Group\" Feature", "updated": "2026-04-09T08:24:29.675611+00:00", "vendors": ["kantorge", "kantorge$PRODUCT$yaffa"], "weaknesses": ["CWE-79"]}