CVE-2026-32868 PUBLISHED

OPEXUS eComplaint and eCASE XSS via my information

Assigner: cisa-cg
Reserved: 16.03.2026 Published: 19.03.2026 Updated: 19.03.2026

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 5.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	OPEXUS
Product	eComplaint
Versions	Default: unknown affected from 0 to 10.2.0.0 (excl.) Version 10.2.0.0 is unaffected

Vendor	OPEXUS
Product	eCASE
Versions	Default: unknown affected from 0 to 10.2.0.0 (excl.) Version 10.2.0.0 is unaffected

Credits

Adam Rose, CISA

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE