OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails

3.5 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available.

Basic Information

ID CVE-2025-64744

Source GitHub_M

Published Nov 13, 2025 at 20:30

Modified Nov 13, 2025 at 21:14

Affected Product

Vendor openobserve

Product openobserve

Version <= 0.16.1

Affected Versions openobserve openobserve <= 0.16.1

CWE Classification

CWE-79

References

github.com /openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458

{
    "lastseen": "",
    "description": "OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without proper HTML escaping. As of time of publication, no patched versions are available.",
    "published": "2025-11-13T20:30:20.960Z",
    "modified": "2025-11-13T21:14:33.407Z",
    "type": "cve",
    "title": "OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails",
    "source": "GitHub_M",
    "references": "https://github.com/openobserve/openobserve/security/advisories/GHSA-3jpx-57gj-w458",
    "id": "CVE-2025-64744",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "openobserve openobserve <= 0.16.1",
    "sourceHref": "",
    "cvss": {
        "score": 3.5,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openobserve",
    "version": "<= 0.16.1",
    "vendor": "openobserve",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails_CVE-2025-64744