CVE-2025-61996 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting OPEXUS FOIAXpress versions prior to 11.13.3.0. The vulnerability arises from improper neutralization of input during web page generation, specifically within the Annual Report Template feature. An administrative user can inject arbitrary JavaScript or other executable content into this template. When other users generate an Annual Report, the injected script executes in their browser context, potentially allowing the attacker to perform actions on behalf of the victim user. This includes stealing session cookies, user credentials, or other sensitive information accessible within the application session. The vulnerability requires that the attacker has administrative privileges to inject the malicious content and that the victim user interacts with the Annual Report generation functionality, making exploitation less trivial but still impactful. The CVSS v3.1 score is 4.3 (medium severity), reflecting network attack vector with low complexity, but requiring high privileges and user interaction. No public exploits have been reported yet. The vulnerability highlights insufficient input validation and output encoding in the FOIAXpress reporting module, which should be addressed by applying patches or implementing strict input sanitization and content security policies.

For European organizations, especially those in government, public administration, or entities handling freedom of information requests, this vulnerability poses a risk to the confidentiality and integrity of sensitive data. Attackers with administrative access could leverage this flaw to compromise user sessions, steal credentials, or manipulate report content, potentially leading to unauthorized data disclosure or fraudulent report generation. Although exploitation requires administrative privileges and user interaction, insider threats or compromised admin accounts could facilitate attacks. The impact on availability is limited but possible if malicious scripts disrupt report generation or application functionality. Given the use of FOIAXpress in managing public information requests, exploitation could undermine trust and compliance with data protection regulations such as GDPR. Organizations may face reputational damage and regulatory scrutiny if sensitive information is exposed or manipulated.

Organizations should immediately upgrade OPEXUS FOIAXpress to version 11.13.3.0 or later where the vulnerability is fixed. Until patching is possible, restrict administrative access strictly to trusted personnel and monitor for unusual template modifications. Implement input validation and output encoding on all user-supplied content within report templates to prevent script injection. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. Conduct regular audits of report templates for unauthorized changes. Educate administrative users about the risks of injecting untrusted content. Additionally, enable multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. Monitor application logs for suspicious activity related to report generation and user sessions. Consider isolating FOIAXpress environments to limit lateral movement if compromise occurs.