Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.
AnalysisAI
This is a stored cross-site scripting (XSS) vulnerability in OPEXUS eComplaint and eCASE platforms where the first and last name fields in the 'My Information' screen fail to properly sanitize user input. An authenticated attacker can inject malicious JavaScript code into these fields, which executes in the context of victim sessions when the full name is rendered, allowing credential theft, session hijacking, or malicious actions on behalf of the victim. The CVSS 5.5 score reflects moderate risk (low integrity/confidentiality/availability impact) mitigated by authentication requirements and user interaction necessity, though the practical risk depends on deployment context and whether patches are available.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting'), which represents a fundamental input validation and output encoding failure. The affected products—OPEXUS eComplaint and eCASE (confirmed via CPE cpe:2.3:a:opexus:ecomplaint and cpe:2.3:a:opexus:ecase)—fail to sanitize or encode the first and last name fields before storing and rendering them to users. Modern web applications should implement context-aware output encoding (HTML entity encoding for HTML context, JavaScript escaping for JS context) and input validation (allowlist of safe characters for name fields). The vulnerability is particularly concerning in complaint and case management systems where multiple users may view case records containing attacker-controlled name data, creating a wide exposure surface for XSS execution.
RemediationAI
Upgrade OPEXUS eComplaint and eCASE installations to version 10.2.0.0 or later, which contains proper input sanitization for the first and last name fields. This is the primary and recommended mitigation. Pending patch deployment, implement compensating controls: (1) apply strict Content Security Policy (CSP) headers to restrict script execution to trusted sources only; (2) configure Web Application Firewall (WAF) rules to detect and block common XSS patterns in HTTP requests targeting the 'My Information' endpoint; (3) limit access to case viewing functions to authorized personnel only via network segmentation or role-based access controls; (4) monitor application logs for suspicious name field submissions containing script tags or event handlers. Consult the CISA advisory (va-26-077-01) and CVE.org record for vendor-specific guidance and patch availability timelines.
More in Ecomplaint
View allA critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attack
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrar
This vulnerability is a stored/reflected cross-site scripting (XSS) flaw in OPEXUS eComplaint and eCASE that allows auth
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13128