{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32866", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-16T20:57:12.860Z", "datePublished": "2026-03-19T15:48:17.289Z", "dateUpdated": "2026-03-19T18:21:50.981Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session."}], "affected": [{"vendor": "OPEXUS", "product": "eCASE", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "10.1.0.0", "versionType": "custom"}, {"version": "10.1.0.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE", "cweId": "CWE-79"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:53:18.506702Z", "id": "CVE-2026-32866", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "OPEXUS eComplaint and eCase stored XSS via profile first and last name", "references": [{"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32866"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}], "credits": [{"value": "Adam Rose, CISA", "lang": "en"}], "datePublic": "2026-03-18T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:48:17.289Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T18:21:35.776406Z", "id": "CVE-2026-32866", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:21:50.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32866", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T18:21:35.776406Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:21:42.916Z"}}], "cna": {"title": "OPEXUS eComplaint and eCase stored XSS via profile first and last name", "credits": [{"lang": "en", "value": "Adam Rose, CISA"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32866", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:53:18.506702Z"}}}], "affected": [{"vendor": "OPEXUS", "product": "eCASE", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.1.0.0"}], "defaultStatus": "affected"}], "datePublic": "2026-03-18T00:00:00.000Z", "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2026-32866", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "name": "url"}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:48:17.289Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32866", "state": "PUBLISHED", "dateUpdated": "2026-03-19T18:21:50.981Z", "dateReserved": "2026-03-16T20:57:12.860Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-19T15:48:17.289Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session."}], "id": "CVE-2026-32866", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-19T16:16:03.460", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32866"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.1.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ecase", "vendor": "opexus"}], "analysis": {"en": {"generated_at": "2026-03-19T17:21:09.284497+00:00", "value": {"mitigation_remediation": ["Upgrade OPEXUS eCASE to version 10.2.0.0 or later.", "If an upgrade is not immediately possible, restrict or sanitize first and last name fields to prevent script injection, or block known malicious characters.", "Monitor application logs for attempted injection or XSS activity.", "Ensure user accounts are protected with strong authentication and consider reviewing account permissions to reduce the likelihood of the attacker modifying profile data."], "summary": {"action": "Update", "impact": "Cross\u2011Site Scripting (Stored)"}, "threat_synthesis": {"affected_systems": "Affected systems are OPEXUS eCASE (product OPEXUS:eCASE) running any version prior to 10.2.0.0. The CVE description lists no additional sub\u2011versions; therefore any installation below that baseline is vulnerable.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in OPEXUS eComplaint and eCASE versions before 10.2.0.0. An authenticated user can supply unsanitized fragments of an XSS payload in the first and last name fields of their profile. When the user\u2019s full name is displayed, the browser executes the attacker\u2019s payload in the context of any victim who views the page. This allows the attacker to run arbitrary JavaScript, potentially hijacking sessions, stealing credentials, or modifying page content.", "risk_and_exploitability": "This issue scores 5.1 on the CVSS scale, indicating moderate severity. The Exploit Prediction Scoring System score is not available, and the vulnerability is not listed in the CISA KEV catalog. Although the vector requires an attacker to be authenticated to their own account, the impact is that any user who views the profile executes script in the victim\u2019s context. The lack of publicly known exploits in production keeps the immediate risk lower, but the moderate CVSS and the ability to compromise session integrity warrant timely remediation."}}}}, "created": "2026-03-20T08:56:42.948335+00:00", "updated": "2026-03-20T14:14:46.854863+00:00", "vendors": ["opexus", "opexus$PRODUCT$ecase"]}