JavaScript Injection Vulnerability in OPEXUS FOIAXpress
CVE-2025-61998

4.8MEDIUM

Key Information:

Vendor: Opexus
Status: Foiaxpress
Vendor: CVE Published:; 7 October 2025

What is CVE-2025-61998?

A JavaScript injection vulnerability exists in OPEXUS FOIAXpress prior to version 11.13.3.0, where an administrative user can insert malicious JavaScript or other content as a URL through the Technical Support Hyperlink Manager. When other users click on the malicious link, the injected content is executed in their context. This loophole allows the administrative user to perform actions impersonating the target user, potentially leading to the theft of session cookies, user credentials, or other sensitive information.

Affected Version(s)

FOIAXpress 0 < 11.13.3.0

FOIAXpress 11.13.3.0

References

https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAX...

https://www.cve.org/CVERecord?id=CVE-2025-61998

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 7, 2025
Vulnerability Reserved
Oct 7, 2025

Credit

Aaron M. Ramirez, United States Department of Justice

Wesley Cuffee, United States Department of Justice

CVE-2025-61998 Data

JSON

Opexus