{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70844", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T13:59:20.267Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T16:29:24.142Z"}, "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/kantorge/yaffa"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:58:21.368298Z", "id": "CVE-2025-70844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:59:20.267Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-70844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:58:21.368298Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:58:43.232Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/kantorge/yaffa"}, {"url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}], "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T16:29:24.142Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70844", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:59:20.267Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kantorge:yaffa:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D877A7F1-A45B-4E7C-9686-FF494E9F679D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the \"Add Account Group\" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page."}], "id": "CVE-2025-70844", "lastModified": "2026-04-14T15:46:12.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T17:16:26.297", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/kantorge/yaffa"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yaffa", "vendor": "kantorge"}], "analysis": {"en": {"generated_at": "2026-04-14T18:06:32.323351+00:00", "value": {"mitigation_remediation": ["Check the yaffa repository or vendor for an official update that resolves the XSS flaw; if none is available, apply local code changes to sanitize user input in the Add Account Group page.", "Ensure all user-supplied data is properly encoded before rendering on the account\u2011group page to prevent script execution.", "Restrict access to the Add Account Group feature to authorized administrators only.", "Deploy a web application firewall with XSS protection rules to block reflected malicious payloads.", "Monitor user sessions for anomalous client-side activity and educate end users about phishing attempts."], "summary": {"action": "Apply Fix", "impact": "client-side code injection via XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the yaffa web application, specifically the 2.0.0 release listed on the public GitHub repository. No CNA vendor product information is provided, and the source code is openly available. Users running this version and exposing the account\u2011group page over the network are susceptible.", "description_and_impact": "The identified weakness is a cross-site scripting flaw in the Add Account Group function of yaffa version 2.0.0. An attacker can deliver malicious JavaScript that runs in the browser of anyone who views the affected account\u2011group page. The injected script has full access to the client\u2019s execution context, allowing cookie theft, session hijacking, or further in-page manipulation.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity, and the EPSS score of less than 1% suggests low current exploit probability. Because the flaw is web-based, an attacker only needs to persuade a user to load the manipulated page, which can be achieved via phishing, social engineering, or compromise of the site. The vulnerability is not yet recorded in the CISA KEV catalog, and there is no patch or official workaround disclosed."}}}}, "created": "2026-04-08T19:50:17.215915+00:00", "updated": "2026-04-15T16:30:09.726681+00:00", "vendors": ["kantorge", "kantorge$PRODUCT$yaffa"]}