CVE-2025-60355

CriticalPublic PoC

Published: 28 October 2025

Published

28 October 2025

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 10.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60355 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Zhyd Oneblog. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely patching or remediation of the specific SSTI flaw in OneBlog FreeMarker templates, eliminating the vulnerability.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation and sanitization of user inputs to FreeMarker templates, directly blocking malicious SSTI payloads.

CM-6 Configuration Settings partial match

prevent

CM-6 establishes secure configuration baselines for OneBlog and FreeMarker to restrict unsafe template features exploitable in SSTI.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE describes unauthenticated remote exploitation of a public-facing web application via Server-Side Template Injection (SSTI) in FreeMarker templates, enabling arbitrary code execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

zhangyd-c OneBlog v2.3.9 and before was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

Deeper analysisAI

CVE-2025-60355 is a Server-Side Template Injection (SSTI) vulnerability in zhangyd-c OneBlog versions 2.3.9 and prior, exploitable through FreeMarker templates. Mapped to CWE-1336, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its potential for complete system compromise.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation enables high-impact disruption to confidentiality, integrity, and availability, allowing attackers to inject malicious templates that may lead to arbitrary code execution on the affected server.

Mitigation details are available in the referenced advisory at https://github.com/line2222/vuln/issues/4.

Details

CWE(s): CWE-1336

Affected Products

zhyd

oneblog

≤ 2.3.9

CVEs Like This One

CVE-2024-54954Same product: Zhyd Oneblog

CVE-2025-67843Shared CWE-1336

CVE-2026-28695Shared CWE-1336

CVE-2026-21450Shared CWE-1336

CVE-2025-68454Shared CWE-1336

CVE-2025-14700Shared CWE-1336

CVE-2026-27629Shared CWE-1336

CVE-2025-68929Shared CWE-1336

CVE-2025-64087Shared CWE-1336

CVE-2026-28697Shared CWE-1336

References

https://github.com/line2222/vuln/issues/4
Exploit, Issue Tracking, Third Party Advisory · cve@mitre.org