CVE-2025-61997

Name of the Vulnerable Software and Affected Versions OPEXUS FOIAXpress versions prior to 11.13.3.0

Description An administrative user can inject JavaScript or other content into the Annual Report Enterprise Banner image upload field. This injected content is executed when other users generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target user, potentially including the theft of session cookies, user credentials, or sensitive data. The issue involves a stored cross-site scripting (XSS) condition.

Recommendations Update OPEXUS FOIAXpress to version 11.13.3.0 or later.