Xdocreport
CVE-2025-64087
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 maven packages depend on fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.2.0.
DescriptionCVE.org
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
AnalysisAI
A server-side template injection vulnerability (CWE-1336) with CVSS 9.8 allows remote attackers to execute arbitrary code through crafted template expressions.
Technical ContextAI
This CWE-1336 vulnerability involves improper neutralization of special elements used in template engine expressions. Attackers can inject template syntax that the server-side engine evaluates, leading to arbitrary code execution.
RemediationAI
Sanitize all user input before template rendering. Use sandboxed template engines. Apply vendor patches.
More in Xdocreport
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r8w2-w357-9pjv