CVE-2025-64087

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Vulnerability Details

Published Date

January 20, 2026

Last Modified

January 26, 2026

CWE ID

CWE-1336

Source

GitHub

Vendor

maven

Product

fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker

External References

https://nvd.nist.gov/vuln/detail/CVE-2025-64087
https://github.com/opensagres/xdocreport/pull/705
https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
https://hackmd.io/@cuongnh/BJEnw7SAlg
https://hackmd.io/@cuongnh/SkQvhEf0lx
https://github.com/opensagres/xdocreport/commit/3b35d105e5ae2006bcaa2b07563188efc466711d
https://github.com/advisories/GHSA-r8w2-w357-9pjv

CVE-2025-64087

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment