CVE-2025-60355
Published: 28 October 2025
Description
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Security Summary
CVE-2025-60355 is a Server-Side Template Injection (SSTI) vulnerability in zhangyd-c OneBlog versions 2.3.9 and prior, exploitable through FreeMarker templates. Mapped to CWE-1336, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its potential for complete system compromise.
Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation enables high-impact disruption to confidentiality, integrity, and availability, allowing attackers to inject malicious templates that may lead to arbitrary code execution on the affected server.
Mitigation details are available in the referenced advisory at https://github.com/line2222/vuln/issues/4.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE describes unauthenticated remote exploitation of a public-facing web application via Server-Side Template Injection (SSTI) in FreeMarker templates, enabling arbitrary code execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).