CVE-2026-32869
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Summary
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OPEXUS | eComplaint | 0 < 10.2.0.0 | affected |
| OPEXUS | eComplaint | 10.2.0.0 | unaffected |
| OPEXUS | eCASE | 0 < 10.2.0.0 | affected |
| OPEXUS | eCASE | 10.2.0.0 | unaffected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-32869
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.