{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32869", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-16T20:58:00.591Z", "datePublished": "2026-03-19T15:49:08.663Z", "dateUpdated": "2026-03-19T18:23:20.299Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the \"Name of Organization\" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page."}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.2.0.0", "versionType": "custom"}, {"version": "10.2.0.0", "status": "unaffected"}]}, {"vendor": "OPEXUS", "product": "eCASE", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.2.0.0", "versionType": "custom"}, {"version": "10.2.0.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE", "cweId": "CWE-79"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:54:17.816315Z", "id": "CVE-2026-32869", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "OPEXUS eComplaint and eCASE XSS via Name of Organization field", "references": [{"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32869"}], "credits": [{"value": "Adam Rose, CISA", "lang": "en"}], "datePublic": "2026-03-18T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:49:08.663Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T18:23:01.187570Z", "id": "CVE-2026-32869", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:23:20.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T18:23:01.187570Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:23:08.152Z"}}], "cna": {"title": "OPEXUS eComplaint and eCASE XSS via Name of Organization field", "credits": [{"lang": "en", "value": "Adam Rose, CISA"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:54:17.816315Z"}}}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "versions": [{"status": "affected", "version": "0", "lessThan": "10.2.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.2.0.0"}], "defaultStatus": "unknown"}, {"vendor": "OPEXUS", "product": "eCASE", "versions": [{"status": "affected", "version": "0", "lessThan": "10.2.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.2.0.0"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-18T00:00:00.000Z", "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32869", "name": "url"}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the \"Name of Organization\" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:49:08.663Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32869", "state": "PUBLISHED", "dateUpdated": "2026-03-19T18:23:20.299Z", "dateReserved": "2026-03-16T20:58:00.591Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-19T15:49:08.663Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*", "matchCriteriaId": "6172CD20-C918-423A-BDBF-66968C003010", "versionEndExcluding": "10.2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the \"Name of Organization\" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page."}, {"lang": "es", "value": "OPEXUS eComplaint y eCASE anteriores a 10.2.0.0 no sanean correctamente el contenido del campo 'Nombre de la Organizaci\u00f3n' al rellenar la informaci\u00f3n del caso. Un atacante autenticado puede inyectar una carga \u00fatil XSS que se ejecuta en el contexto de la sesi\u00f3n de una v\u00edctima cuando esta visita la p\u00e1gina de informaci\u00f3n del caso."}], "id": "CVE-2026-32869", "lastModified": "2026-03-30T13:04:52.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-19T16:16:04.013", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32869"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.2.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.2.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ecase", "vendor": "opexus"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.2.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.2.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "eComplaint", "source": "cna", "vendor": "OPEXUS"}, "product": "ecomplaint", "vendor": "opexus"}], "analysis": {"en": {"generated_at": "2026-03-19T17:20:28.295223+00:00", "value": {"mitigation_remediation": ["Verify that your OPEXUS eComplaint and eCASE installations are version 10.2.0.0 or newer", "If not, schedule an upgrade to the latest stable release or apply any vendor\u2011published patch that addresses the XSS issue", "If upgrading is not immediately possible, restrict access to the \"Name of Organization\" field through web\u2011application firewall rules or input validation if supported", "Monitor web access logs for unusual script activity and keep the system\u2019s security patch level current"], "summary": {"action": "Patch Immediately", "impact": "Cross-site scripting (XSS) that executes in the context of a victim\u2019s session"}, "threat_synthesis": {"affected_systems": "OPEXUS products affected are eComplaint and eCASE; all releases prior to 10.2.0.0 are vulnerable. The vendor has documented the problem for these specific applications.", "description_and_impact": "The vulnerability exists in OPEXUS eComplaint and eCASE before version 10.2.0.0 because the application fails to sanitize the content of the \"Name of Organization\" field when case information is entered. An authenticated attacker can inject a JavaScript payload into this field, and the payload is later executed in the victim\u2019s browser when the case information page is viewed, allowing the attacker to run malicious scripts under the victim\u2019s session. This flaw is identified as a Cross\u2011Site Scripting (CWE\u201179) weakness.", "risk_and_exploitability": "The CVSS score is 5.1, indicating a Medium severity level. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Because it requires the attacker to be authenticated and the victim to view the case page, the risk is moderate. Exploitation would allow the attacker to run arbitrary JavaScript in the victim\u2019s browser context, potentially leading to session hijacking or data exfiltration. No public exploit is known from the provided data."}}}}, "created": "2026-03-20T08:56:40.355985+00:00", "updated": "2026-03-20T11:06:51.358250+00:00", "vendors": ["opexus", "opexus$PRODUCT$ecase", "opexus$PRODUCT$ecomplaint"]}