What is the CVSS score of CVE-2025-65482?

CVE-2025-65482 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Xdocreport are affected by CVE-2025-65482?

Organizations using opensagres XDocReport face critical risk from CVE-2025-65482, a XML external entity vulnerability rated CVSS 9.8.. A patch is available.

How to fix or mitigate CVE-2025-65482?

Within 24 hours: Identify all affected systems running opensagres XDocReport and apply vendor patches immediately. Monitor vendor channels for patch availability.

Xdocreport CVE-2025-65482

CRITICAL

Improper Restriction of XML External Entity Reference (CWE-611)

2026-01-20 cve@mitre.org

GHSA-7jc7-g598-2p64

XXE Xdocreport

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 20, 2026 - 16:16 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on fr.opensagres.xdocreport:fr.opensagres.xdocreport.document (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.9.2.

DescriptionNVD

An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.

AnalysisAI

XDocReport v0.9.2 through v2.0.3 has an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, perform SSRF, and potentially achieve remote code execution.

Technical ContextAI

XDocReport versions 0.9.2 to 2.0.3 process XML input without disabling external entity resolution (CWE-611). This allows attackers to define external entities that reference local files, internal network resources, or exploit-chain protocols.

RemediationAI

Update XDocReport to a version that disables external entity processing by default. Configure XML parsers to disable DTD processing.

CVE-2025-65482 vulnerability details – vuln.today

Back

Xdocreport CVE-2025-65482

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code