CVE-2025-54834

low-risk
Published 2025-07-31

OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Foiaxpress Public Access Link

Affected Vendors

Opexustech

References (3)

Release Notes https://docs.opexustech.com/docs/foiaxpress/11.12.0/FOIAXpress_Release_notes_11....
Product https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/...
Third Party Advisory https://www.cve.org/CVERecord?id=CVE-2025-54834
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal