HTML Injection Vulnerability in OpenObserve Cloud-Native Observability Platform
CVE-2025-64744

3.5LOW

Key Information:

Vendor: Openobserve
Status: Openobserve
Vendor: CVE Published:; 13 November 2025

🔔 Create Openobserve Vulnerability Alert

What is CVE-2025-64744?

OpenObserve, a cloud-native observability platform, is susceptible to an HTML injection vulnerability in versions up to and including 0.16.1. When users create or rename an organization with HTML content in the name, this content is improperly processed and rendered within invitation emails. This means that user-controlled input is inserted into the email template without appropriate HTML escaping, potentially allowing attackers to execute malicious scripts or exploit the platform's functionality. At present, no patches have been released to address this vulnerability.

Affected Version(s)

openobserve <= 0.16.1

References

https://github.com/openobserve/openobserve/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

JSON