The vulnerability CVE-2025-28891 affects the jazzigor price-calc software through a CSRF flaw that enables Stored XSS attacks. This means that an attacker can trick a user into submitting unauthorized requests that result in malicious scripts being stored and executed in the context of the application. The affected versions are from initial release through 0.6.3. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to Stored XSS, allowing attackers to execute arbitrary scripts in the victim's browser within the context of the affected application. This can result in session hijacking, defacement, or other malicious actions. The CSRF aspect means attackers can induce authenticated users to perform unwanted actions without their consent. The overall impact is rated high due to combined CSRF and Stored XSS risks.

No official patch or remediation guidance is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should consider implementing CSRF protections such as anti-CSRF tokens and input validation to mitigate risk. Monitoring vendor channels for updates is advised.