JavaScript Injection Vulnerability in OPEXUS FOIAXpress by OPEXUS
CVE-2025-61997

4.8MEDIUM

Key Information:

Vendor: Opexus
Status: Foiaxpress
Vendor: CVE Published:; 7 October 2025

What is CVE-2025-61997?

OPEXUS FOIAXpress versions prior to 11.13.3.0 are susceptible to a JavaScript injection vulnerability that allows an administrative user to upload malicious content in the Annual Report Enterprise Banner image upload field. When other users generate an Annual Report, this injected content can execute within their context. Successful exploitation can enable an administrative user to act on behalf of the target, leading to the potential theft of session cookies, user credentials, and other sensitive data.

Affected Version(s)

FOIAXpress 0 < 11.13.3.0

FOIAXpress 11.13.3.0

References

https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAX...

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2025-61997

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 7, 2025
Vulnerability Reserved
Oct 7, 2025

Credit

Aaron M. Ramirez, United States Department of Justice

Wesley Cuffee, United States Department of Justice

CVE-2025-61997 Data

JSON

Opexus