CVE-2025-64087

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64087 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Opensagres Xdocreport. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates crafted template expressions injected into the FreeMarker component to prevent server-side template injection leading to arbitrary code execution.

SI-2 Flaw Remediation good match

prevent

Remediates the SSTI flaw in opensagres XDocReport v1.0.0 to v2.1.0 by applying patches from sources like pull request #705.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans systems for CVE-2025-64087 in the FreeMarker component to identify vulnerable XDocReport instances for remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE describes Server-Side Template Injection (SSTI) enabling arbitrary remote code execution in a public-facing application component (FreeMarker in XDocReport), directly mapping to T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Deeper analysisAI

CVE-2025-64087, published on 2026-01-20, is a Server-Side Template Injection (SSTI) vulnerability classified under CWE-1336 in the FreeMarker component of opensagres XDocReport versions v1.0.0 to v2.1.0. It enables attackers to execute arbitrary code by injecting crafted template expressions into the affected component. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by remote attackers with no required privileges or user interaction, accessible over the network with low attack complexity and no change in scope. Successful exploitation allows attackers to achieve arbitrary code execution on the targeted server, potentially leading to full system compromise.

Advisories and mitigation details are available in referenced sources, including the opensagres/xdocreport GitHub repository and pull request #705, which addresses the issue. Further technical write-ups are provided on HackMD pages linked in the CVE references.

Details

CWE(s): CWE-1336

Affected Products

opensagres

xdocreport

1.0.0 — 2.1.0

CVEs Like This One

CVE-2025-65482Same product: Opensagres Xdocreport

CVE-2025-68454Shared CWE-1336

CVE-2026-21450Shared CWE-1336

CVE-2026-28695Shared CWE-1336

CVE-2025-60355Shared CWE-1336

CVE-2026-27629Shared CWE-1336

CVE-2025-14700Shared CWE-1336

CVE-2025-68929Shared CWE-1336

CVE-2025-67843Shared CWE-1336

CVE-2026-28697Shared CWE-1336

References

https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
Broken Link · cve@mitre.org
https://github.com/opensagres/xdocreport
Product · cve@mitre.org
https://github.com/opensagres/xdocreport/pull/705
Issue Tracking, Third Party Advisory · cve@mitre.org
https://hackmd.io/@cuongnh/BJEnw7SAlg
Permissions Required · cve@mitre.org
https://hackmd.io/@cuongnh/SkQvhEf0lx
Permissions Required · cve@mitre.org