CVE-2026-22235

Summary

OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.

Affected Software

VendorProductVersion RangeStatus
OPEXUSeComplaint0 < 9.0.45.0affected
OPEXUSeComplaint9.0.45.0unaffected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References