CVE-2025-70844: yaffa vulnerable to Cross Site Scripting

April 7, 2026 (updated April 10, 2026)

yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the “Add Account Group” function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page.

References

github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844
github.com/advisories/GHSA-pq95-94c9-j987
github.com/kantorge/yaffa
nvd.nist.gov/vuln/detail/CVE-2025-70844

Code Behaviors & Features

Detect and mitigate CVE-2025-70844 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →