Ecase Portal
CVE-2026-22234
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files.
AnalysisAI
OPEXUS eCasePortal before 9.0.45.0 allows unauthenticated access to the Attachments.aspx endpoint with predictable formid values. Attackers can download, delete, or upload files without authentication.
Technical ContextAI
The Attachments.aspx endpoint uses predictable sequential formid values (CWE-639) and lacks authentication. An attacker can iterate through IDs to access, delete, or replace any uploaded file in the case management system.
RemediationAI
Update to 9.0.45.0. Implement authentication and authorization on all file operations. Use non-sequential, unpredictable identifiers.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today