CVE-2025-61999 MEDIUM

CVE-2025-61999: OPEXUS FOIAXpress stored XSS via logo image

Vendor Opexus
Product FOIAXpress
Weakness CWE-79 · XSS
Published October 7, 2025
Last update October 10, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

Key dates

02Disclosure timeline

October 7, 2025 CVE published
October 10, 2025 Record updated