Ecase Audit
CVE-2026-22233
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.
AnalysisAI
Stored cross-site scripting in OPEXUS eCASE Audit enables authenticated users to inject malicious JavaScript through the "Estimated Staff Hours" comment field, which executes when other users access the Project Cost tab. This allows attackers with valid credentials to compromise other users' sessions and perform unauthorized actions within the application. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Ecase Audit. OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Ecase Audit
View allOPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restri
Stored cross-site scripting in OPEXUS eCASE Audit's Project Setup functionality allows authenticated users to inject mal
OPEXUS eCASE Audit's Document Check Out feature contains a stored cross-site scripting vulnerability that allows authent
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today