Cyber Resilience

CVE-2025-64087

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 39.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-64087 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Opensagres Xdocreport. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-64087, published on 2026-01-20, is a Server-Side Template Injection (SSTI) vulnerability classified under CWE-1336 in the FreeMarker component of opensagres XDocReport versions v1.0.0 to v2.1.0. It enables attackers to execute arbitrary code by injecting crafted template expressions into the affected component. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by remote attackers with no required privileges or user interaction, accessible over the network with low attack complexity and no change in scope. Successful exploitation allows attackers to achieve arbitrary code execution on the targeted server, potentially leading to full system compromise.

Advisories and mitigation details are available in referenced sources, including the opensagres/xdocreport GitHub repository and pull request #705, which addresses the issue. Further technical write-ups are provided on HackMD pages linked in the CVE references.

EU & UK References

Vulnerability details

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

CVE describes Server-Side Template Injection (SSTI) enabling arbitrary remote code execution in a public-facing application component (FreeMarker in XDocReport), directly mapping to T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-65482Same product: Opensagres Xdocreport
CVE-2026-27629Shared CWE-1336
CVE-2026-28695Shared CWE-1336
CVE-2025-68929Shared CWE-1336
CVE-2025-14700Shared CWE-1336
CVE-2026-21450Shared CWE-1336
CVE-2025-68454Shared CWE-1336
CVE-2025-60355Shared CWE-1336
CVE-2025-67843Shared CWE-1336
CVE-2026-28697Shared CWE-1336

Affected Assets

opensagres
xdocreport
1.0.0 — 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates crafted template expressions injected into the FreeMarker component to prevent server-side template injection leading to arbitrary code execution.

prevent

Remediates the SSTI flaw in opensagres XDocReport v1.0.0 to v2.1.0 by applying patches from sources like pull request #705.

detect

Scans systems for CVE-2025-64087 in the FreeMarker component to identify vulnerable XDocReport instances for remediation.

References