Ecase Audit
CVE-2026-22232
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
AnalysisAI
Stored cross-site scripting in OPEXUS eCASE Audit's Project Setup functionality allows authenticated users to inject malicious JavaScript into the "A or SIC Number" field that executes in other users' browsers when they view the project. An attacker with valid credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise data for all project viewers. No patch is currently available.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects the Project Setup component of Ecase Audit. OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Ecase Audit
View allOPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restri
Stored cross-site scripting in OPEXUS eCASE Audit enables authenticated users to inject malicious JavaScript through the
OPEXUS eCASE Audit's Document Check Out feature contains a stored cross-site scripting vulnerability that allows authent
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today