CVE-2025-61997 MEDIUM

CVE-2025-61997: OPEXUS FOIAXpress stored XSS via banner image

Vendor Opexus
Product FOIAXpress
Weakness CWE-79 · XSS
Published October 7, 2025
Last update October 10, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

Key dates

02Disclosure timeline

October 7, 2025 CVE published
October 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24387 Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS) CVE-2022-3035 Cross-site Scripting (XSS) - Stored in snipe/snipe-it CVE-2025-5016 Relevanssi <= 4.24.5 (Free) and <= 2.27.6 (Premium) - Unauthenticated Stored Cross-Site Scripting via Excerpt Highlights CVE-2022-3072 Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis CVE-2024-1586 Schema & Structured Data for WP & AMP <= 1.26 - Authenticated (Custom) Stored Cross-Site Scripting