CVE-2025-70844
Received Received - Intake
Cross-Site Scripting in yaffa v2.0.0 Account Group Function

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: MITRE

Description
yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2025-70844
EUVD
EUVD-2025-209275
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kantorge yaffa 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70844 is a stored Cross-Site Scripting (XSS) vulnerability in yaffa version 2.0.0. It allows an attacker to inject malicious JavaScript code into the "Add Account Group" function on the account-group page. When other users view this page, the injected script executes in their browser context.

Impact Analysis

This vulnerability can lead to execution of arbitrary scripts in the browsers of users who view the affected page. This can compromise user security by enabling actions such as stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of the user.

Detection Guidance

The vulnerability is a stored Cross-Site Scripting (XSS) in the "Add Account Group" function on the account-group page of yaffa v2.0.0. Detection involves checking for malicious JavaScript code injected into this function.

Since this is a web application vulnerability, detection can be done by inspecting the account-group page for unexpected or suspicious script tags or JavaScript code in the account group names or descriptions.

Automated scanning tools for XSS vulnerabilities can be used against the affected page.

Specific commands are not provided in the resources, but general approaches include using web vulnerability scanners like OWASP ZAP or Burp Suite to test the "Add Account Group" input for script injection.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the "Add Account Group" function until a patch or fix is applied.

Implement input validation and output encoding on the account-group page to prevent injection and execution of malicious scripts.

Update yaffa to a version where this vulnerability is fixed once available.

Restrict access to the affected page to trusted users only to minimize exposure.

Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in yaffa v2.0.0 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart