CVE-2025-64087

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates crafted template expressions injected into the FreeMarker component to prevent server-side template injection leading to arbitrary code execution.

SI-2 Flaw Remediation good match

prevent

Remediates the SSTI flaw in opensagres XDocReport v1.0.0 to v2.1.0 by applying patches from sources like pull request #705.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans systems for CVE-2025-64087 in the FreeMarker component to identify vulnerable XDocReport instances for remediation.

Security SummaryAI

CVE-2025-64087, published on 2026-01-20, is a Server-Side Template Injection (SSTI) vulnerability classified under CWE-1336 in the FreeMarker component of opensagres XDocReport versions v1.0.0 to v2.1.0. It enables attackers to execute arbitrary code by injecting crafted template expressions into the affected component. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by remote attackers with no required privileges or user interaction, accessible over the network with low attack complexity and no change in scope. Successful exploitation allows attackers to achieve arbitrary code execution on the targeted server, potentially leading to full system compromise.

Advisories and mitigation details are available in referenced sources, including the opensagres/xdocreport GitHub repository and pull request #705, which addresses the issue. Further technical write-ups are provided on HackMD pages linked in the CVE references.

Details

CWE(s): CWE-1336

Affected Products

opensagres

xdocreport

1.0.0 — 2.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE describes Server-Side Template Injection (SSTI) enabling arbitrary remote code execution in a public-facing application component (FreeMarker in XDocReport), directly mapping to T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
Broken Link · cve@mitre.org
https://github.com/opensagres/xdocreport
Product · cve@mitre.org
https://github.com/opensagres/xdocreport/pull/705
Issue Tracking, Third Party Advisory · cve@mitre.org
https://hackmd.io/@cuongnh/BJEnw7SAlg
Permissions Required · cve@mitre.org
https://hackmd.io/@cuongnh/SkQvhEf0lx
Permissions Required · cve@mitre.org