CVE-2026-32869 PUBLISHED

OPEXUS eComplaint and eCASE XSS via Name of Organization field

Assigner: cisa-cg
Reserved: 16.03.2026 Published: 19.03.2026 Updated: 19.03.2026

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 5.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	OPEXUS
Product	eComplaint
Versions	Default: unknown affected from 0 to 10.2.0.0 (excl.) Version 10.2.0.0 is unaffected

Vendor	OPEXUS
Product	eCASE
Versions	Default: unknown affected from 0 to 10.2.0.0 (excl.) Version 10.2.0.0 is unaffected

Credits

Adam Rose, CISA

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE