The nchankov Autocompleter component versions up to 1.3.5.2 contain a CSRF vulnerability that enables stored XSS attacks. This means that an attacker can trick a user into submitting a request that causes malicious scripts to be stored and later executed in the context of the vulnerable application. The vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS, which may allow attackers to execute arbitrary scripts in the context of the affected application, potentially leading to data theft, session hijacking, or other malicious actions. The CSRF aspect allows attackers to induce victims to perform unwanted actions without their consent. The combined impact affects confidentiality, integrity, and availability to a limited extent as indicated by the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. In the meantime, consider implementing CSRF protections such as anti-CSRF tokens and input validation to mitigate risk. Avoid deploying vulnerable versions in production environments until a fix is available.