The vulnerability identified as CVE-2025-39381 affects Kiotviet KiotViet Sync through version 1.8.4 and involves Cross-Site Request Forgery (CWE-352). This flaw enables an attacker to trick an authenticated user into submitting unauthorized requests, which can result in stored XSS attacks. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability. No patch or official fix information is currently available, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation of this vulnerability can allow attackers to execute unauthorized actions with the privileges of an authenticated user, potentially injecting stored malicious scripts (XSS). This can lead to compromise of user data confidentiality, integrity, and availability of the affected system. The vulnerability is rated high severity with a CVSS score of 7.1. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should apply general CSRF mitigations such as validating anti-CSRF tokens and restricting user actions to trusted contexts. Monitor vendor channels for updates and apply patches promptly once available.