CVE-2025-61996 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in OPEXUS FOIAXpress versions prior to 11.13.3.0. The flaw arises from improper neutralization of input during web page generation, specifically within the Annual Report Template feature. An administrative user can inject arbitrary JavaScript or other executable content into this template. When other users generate an Annual Report, the injected script executes in their browser context, enabling the attacker to perform actions with the victim's privileges. Potential malicious outcomes include stealing session cookies, harvesting user credentials, or accessing sensitive data. The vulnerability requires the attacker to have administrative privileges to inject the payload and relies on user interaction to trigger execution. The CVSS v3.1 score is 4.3 (medium), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. No public exploits are currently known. The vulnerability impacts confidentiality, integrity, and availability to a limited extent but can facilitate further attacks if chained with other vulnerabilities or social engineering. FOIAXpress is used primarily by government agencies and organizations managing Freedom of Information Act (FOIA) requests, making the vulnerability particularly relevant to public sector entities.

For European organizations, especially government agencies and public institutions using FOIAXpress for FOIA management and reporting, this vulnerability poses a risk of unauthorized data access and session hijacking. Exploitation could lead to exposure of sensitive government or citizen information, undermining trust and compliance with data protection regulations such as GDPR. The ability for an administrative user to inject malicious scripts could also facilitate lateral movement or privilege escalation within the affected environment. Although the vulnerability requires administrative privileges, insider threats or compromised admin accounts could exploit this flaw to impact multiple users. The impact on availability is limited but could include disruption of report generation processes. The medium severity rating suggests a moderate risk, but the strategic importance of affected data and systems in European public sector contexts elevates the concern. Organizations may face reputational damage and regulatory scrutiny if exploited.

1. Apply vendor patches or updates as soon as they become available for FOIAXpress to remediate the vulnerability. 2. Restrict administrative privileges strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement input validation and output encoding controls on the Annual Report Template fields to prevent injection of executable scripts. 4. Conduct regular audits of administrative actions and template content to detect unauthorized changes. 5. Educate administrative users on the risks of injecting untrusted content and enforce policies limiting template modifications. 6. Monitor logs and network traffic for unusual activities related to report generation or script execution. 7. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting FOIAXpress. 8. Isolate FOIAXpress instances from broader network segments to limit potential lateral movement if exploited.