The Nepali Date Utilities library (versions <= 1.0.15) contains a CSRF vulnerability that enables stored XSS attacks. This means that an attacker could trick a user into submitting unauthorized requests that result in malicious scripts being stored and executed in the context of the application. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level.

Successful exploitation of this vulnerability could allow attackers to execute stored XSS attacks via CSRF, potentially leading to unauthorized actions performed with the victim's privileges. This can result in partial compromise of confidentiality, integrity, and availability of the affected system or user data. However, there are no reports of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor the vendor's communications for updates. In the meantime, applying standard CSRF mitigations such as implementing anti-CSRF tokens and validating request origins may reduce risk.