Skip to main content

Ecase EUVDEUVD-2026-13124

| CVE-2026-32866 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 cisa-cg
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.1.0.0
EUVD ID Assigned
Mar 19, 2026 - 16:00 euvd
EUVD-2026-13124
Analysis Generated
Mar 19, 2026 - 16:00 vuln.today
CVE Published
Mar 19, 2026 - 15:48 nvd
MEDIUM 5.1

DescriptionCVE.org

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.

AnalysisAI

This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE versions before 10.2.0.0, where user profile first and last name fields lack proper input sanitization. An authenticated attacker can inject malicious JavaScript payloads into these fields, which execute in the context of any victim's session when the attacker's full name is rendered, allowing theft of session tokens, credential harvesting, or account manipulation. The vulnerability carries a CVSS 5.5 (medium) score but poses real risk due to its authenticated-but-no-special-privileges requirement and user interaction dependency; exploitation is likely straightforward given the simplicity of XSS injection techniques.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application input validation flaw. The OPEXUS eComplaint and eCASE platform (identified via CPE cpe:2.3:a:opexus:ecase:*:*:*:*:*:*:*:*) stores user profile metadata in database fields that are later rendered in HTML contexts without encoding. When the application constructs user profile pages or displays full names in lists, tables, or notifications, the unescaped name fields allow browser-side script execution. This is a stored XSS variant rather than reflected XSS because the payload persists in the user profile record and affects all subsequent viewers, making it particularly dangerous in multi-user business applications.

RemediationAI

The primary remediation is to upgrade OPEXUS eComplaint and eCASE to version 10.2.0.0 or later, which includes proper input sanitization for user profile fields. Organizations should apply this patch immediately to all affected instances. Until patching is feasible, implement compensating controls by restricting access to the application through network segmentation (limit to trusted IP ranges), enforcing strict Content Security Policy (CSP) headers to block inline script execution, and disabling or restricting the ability for low-privilege users to edit profile fields. Additionally, conduct immediate audit of user profile records to identify any suspicious or malicious entries in first and last name fields. Enable HTTP-only and Secure cookie flags to reduce session hijacking impact. For detailed patch availability and deployment instructions, refer to the CISA advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json and contact OPEXUS support for version-specific guidance.

Share

EUVD-2026-13124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy