The vulnerability CVE-2025-70844 affects yaffa version 2.0.0 and is classified as a Cross Site Scripting (XSS) issue. Specifically, the "Add Account Group" function on the account-group page does not properly sanitize user input, enabling attackers to inject arbitrary JavaScript code. When other users view this page, the malicious script executes in their browser context, potentially leading to information disclosure or session hijacking. The CVSS v3.1 base score is 6.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity with no impact on availability. No official patch or remediation level has been published by the vendor, and no known exploits have been reported.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of users who access the affected account-group page. This can lead to partial confidentiality and integrity impacts, such as theft of session tokens or manipulation of displayed content. There is no reported impact on system availability. The vulnerability requires user interaction (viewing the maliciously crafted page) and can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should exercise caution when interacting with the "Add Account Group" function and avoid visiting untrusted links or pages that may contain malicious input. Implementing web application firewall (WAF) rules to detect and block XSS payloads on the affected endpoint may provide temporary mitigation.