CVE-2025-61996 PUBLISHED

OPEXUS FOIAXpress stored XSS via annual report template

Assigner: cisa-cg
Reserved: 07.10.2025 Published: 07.10.2025 Updated: 07.10.2025

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 4.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	High
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	OPEXUS
Product	FOIAXpress
Versions	Default: unknown affected from 0 to 11.13.3.0 (excl.) Version 11.13.3.0 is unaffected

Credits

Aaron M. Ramirez, United States Department of Justice
Wesley Cuffee, United States Department of Justice

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE