CVE-2025-6761

Name of the Vulnerable Software and Affected Versions: Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x through 9.0

Description: A critical issue has been found, affecting the function plugin.buildMobilePopHtml of the file k3o2oboswebappactionDynamicForm 4 Action.class of the component Freemarker Engine. This issue leads to improper neutralization of special elements used in a template engine, allowing for remote attacks. The exploit has been disclosed publicly.

Recommendations: For Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x through 9.0, it is recommended to upgrade the affected component, as the fixed release sets Freemarker to 'ALLOWS NOTHING RESOLVER' to prevent parsing any classes.