CVE-2025-64087

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

20/01/2026

Last modified:

20/01/2026

Description

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Impact

References to Advisories, Solutions, and Tools

https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
https://github.com/opensagres/xdocreport
https://github.com/opensagres/xdocreport/pull/705
https://hackmd.io/@cuongnh/BJEnw7SAlg
https://hackmd.io/@cuongnh/SkQvhEf0lx