XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability
Critical severity
GitHub Reviewed
Published
Jan 20, 2026
to the GitHub Advisory Database
•
Updated Jan 21, 2026
Package
Affected versions
< 2.1.0
Patched versions
2.1.0
Description
Published by the National Vulnerability Database
Jan 20, 2026
Published to the GitHub Advisory Database
Jan 20, 2026
Reviewed
Jan 21, 2026
Last updated
Jan 21, 2026
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.
References