CVE-2025-64087CRITICAL 9.8EPSS p39.0%

CVE-2025-64087CVE-2025-64087

Description

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 39.0% · 2026-06-19T12:03:05Z
Published2026-01-20
Last modified2026-02-03

Underlying weaknesses· 1

CWE-1336

References

  1. https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-
  2. https://github.com/opensagres/xdocreport
  3. https://github.com/opensagres/xdocreport/pull/705
  4. https://hackmd.io/@cuongnh/BJEnw7SAlg
  5. https://hackmd.io/@cuongnh/SkQvhEf0lx

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-65482
CVE
CVE-2025-70830
CVE
CVE-2026-36765
CVE
CVE-2025-60355
CVE
CVE-2025-54815
CVE
CVE-2025-51991
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.