CVE-2025-61998 MEDIUM

CVE-2025-61998: OPEXUS FOIAXpress stored XSS via Hyperlink Manager

Vendor Opexus
Product FOIAXpress
Weakness CWE-79 · XSS
Published October 7, 2025
Last update October 10, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

Key dates

02Disclosure timeline

October 7, 2025 CVE published
October 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-5737 HTML Injection in AdmirorFrames Joomla! Extension CVE-2025-24631 WordPress BP Email Assign Templates Plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-30832 WordPress Themify Event Post Plugin <= 1.3.2 - Cross Site Scripting (XSS) vulnerability CVE-2025-25197 Silverstripe Elemental enables XSS attacks in elemental "Content blocks in use" reports CVE-2024-13273 Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037