Home > Vulnerability Database > CVE-2025-64087

Mend.io Vulnerability Database

CVE-2025-64087

Good to know:

Date: January 19, 2026

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

Severity Score

9.8

Related Resources (8)

Url: https://github.com/opensagres/xdocreport/pull/705

Url: https://github.com/opensagres/xdocreport/commit/3b35d105e5ae2006bcaa2b07563188efc466711d

Url: https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI-

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64087

Url: https://hackmd.io/@cuongnh/SkQvhEf0lx

Url: https://hackmd.io/@cuongnh/BJEnw7SAlg

Url: https://github.com/opensagres/xdocreport

Url: https://www.mend.io/vulnerability-database/CVE-2025-64087

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64087

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?