CVE-2025-70060

Vulnerability

Overview

CVE-2025-70060 describes a cross-site scripting (XSS) vulnerability in YMFE YApi version 1.12.0, an open-source API management platform [1]. The issue stems from improper neutralization of user-supplied input during web page generation (CWE-79) [3]. This allows an attacker to inject arbitrary JavaScript or HTML into the application's pages.

Exploitation

The vulnerability can be exploited by an authenticated or unauthenticated attacker depending on the affected input field. Since YApi allows users to create and manage API documentation, an attacker could inject malicious scripts into project descriptions, interface parameters, or other user-editable fields. When other users view the affected page, the injected script executes in their browser context. No special network position is required beyond access to the YApi instance.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to steal session cookies, perform actions on behalf of the victim, or deface the application. The CVSS v3 score of 5.4 (Medium) reflects the potential for unauthorized data access and partial compromise of confidentiality and integrity.

Mitigation

As of the publication date, no official patch has been released for YApi v1.12.0 [3]. Users are advised to apply strict input validation and output encoding, or consider upgrading to a patched version when available. The YApi project is actively maintained on GitHub [1].