CVE-2026-32867 PUBLISHED

OPEXUS eComplaint unauthenticated file upload

Assigner: cisa-cg
Reserved: 16.03.2026 Published: 19.03.2026 Updated: 19.03.2026

OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor OPEXUS
Product eComplaint
Versions Default: affected
  • affected from 0 to 10.1.0.0 (excl.)
  • Version 10.1.0.0 is unaffected

Credits

  • Adam Rose, CISA

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE
  • CWE-425 Direct Request ('Forced Browsing') CWE