CRITICAL🇵🇱 Wersja polska

CVE-2025-64087

CVSS 9.8v3.1pub. 2026-01-20upd. 2026-02-03

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

🤖 AI Analysis
How it works

An attacker injects crafted template expressions into the FreeMarker engine handled by XDocReport. The library processes the supplied data as template code instead of treating it as plain text, leading to interpretation and execution of embedded commands on the server side. The attack requires no authentication or user interaction, and the complexity of carrying it out is low.

Impact

Successful exploitation of the vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which may lead to complete system compromise, disclosure of sensitive data, and violation of service integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references — pull request no. 705 is available in the opensagres/xdocreport GitHub repository. It is recommended to urgently update to a version containing the fix and to restrict the ability to provide external input data to template processing mechanisms.

Who is affected

opensagres XDocReport in versions from 1.0.0 to 2.1.0 (FreeMarker component)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Opensagres Xdocreport

    APP
    Opensagres
    1.0.0 – 2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-65482CRITICAL9.8PL ✓ten sam produkt

XXE/RCE w opensagres XDocReport — złośliwy plik .docx