{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "title": "OPEXUS eCASE", "tracking": { "current_release_date": "2026-01-08T16:36:15Z", "generator": { "engine": { "name": "VINCE-NT", "version": "1.11.0" } }, "id": "VA-26-008-01", "initial_release_date": "2026-01-08T16:36:15Z", "status": "final", "version": "1.0.0", "revision_history": [ { "number": "1.0.0", "summary": "Initial publication", "date": "2026-01-08T16:36:15Z" } ] }, "distribution": { "tlp": { "label": "WHITE" } }, "notes": [ { "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer" }, { "text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other" }, { "text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other" }, { "text": "OPEXUS eCASE Audit contains multiple vulnerabilities. An authenticated attacker could bypass authorization or inject JavaScript that could be executed in the context of other users.", "title": "Risk Evaluation", "category": "summary" }, { "text": "Update to eCase Audit v11.14.2.0 and eCase Platform v11.14.1.0.", "title": "Recommended Practices", "category": "general" }, { "text": "United States", "title": "Company Headquarters Location", "category": "other" } ], "references": [ { "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json", "summary": "Vulnerability Advisory VA-26-008-01 CSAF", "category": "self" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "OPEXUS", "branches": [ { "category": "product_name", "name": "eCASE Audit", "branches": [ { "category": "product_version_range", "name": ">=11.4.0|<11.14.1.0", "product": { "name": "OPEXUS eCASE Audit >=11.4.0|<11.14.1.0", "product_id": "CSAFPID-0001" } }, { "category": "product_version", "name": "11.14.1.0", "product": { "name": "OPEXUS eCASE Audit 11.14.1.0", "product_id": "CSAFPID-0002" } }, { "category": "product_version_range", "name": ">=11.4.0|<11.14.2.0", "product": { "name": "OPEXUS eCASE Audit >=11.4.0|<11.14.2.0", "product_id": "CSAFPID-0003" } }, { "category": "product_version", "name": "11.14.2.0", "product": { "name": "OPEXUS eCASE Audit 11.14.2.0", "product_id": "CSAFPID-0004" } } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2026-22230", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "summary", "text": "OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:P/A:N/T:P/2026-01-06T22:30:03Z/" } ], "title": "OPEXUS eCASE Audit incorrect access control", "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "docs.opexustech.com", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-22230" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json" } ], "scores": [ { "cvss_v3": { "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in version 11.14.1.0.", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf", "product_ids": [ "CSAFPID-0001" ], "date": "2025-11-01T00:00:00Z" }, { "category": "vendor_fix", "details": "Fixed in version 11.14.1.0.", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf", "product_ids": [ "CSAFPID-0002" ], "date": "2025-11-01T00:00:00Z" } ], "acknowledgments": [ { "organization": "United States Department of Justice", "names": [ "Aaron M. Ramirez", " Son Nguyen", " Wesley Cuffee" ] } ], "release_date": "2026-01-08T00:00:00Z" }, { "cve": "CVE-2026-22231", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "summary", "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:30:59Z/" } ], "title": "OPEXUS eCASE Audit Document Check Out stored XSS", "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "docs.opexustech.com", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-22231" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in version 11.14.1.0.", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf", "product_ids": [ "CSAFPID-0001" ], "date": "2025-11-01T00:00:00Z" }, { "category": "vendor_fix", "details": "Fixed in version 11.14.1.0.", "url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf", "product_ids": [ "CSAFPID-0002" ], "date": "2025-11-01T00:00:00Z" } ], "acknowledgments": [ { "organization": "United States Department of Justice", "names": [ "Aaron M. Ramirez", " Son Nguyen", " Wesley Cuffee" ] } ], "release_date": "2026-01-08T00:00:00Z" }, { "cve": "CVE-2026-22232", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "summary", "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the \"A or SIC Number\" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:27:56Z/" } ], "title": "OPEXUS eCASE Audit Project Setup stored XSS", "product_status": { "known_affected": [ "CSAFPID-0003" ], "fixed": [ "CSAFPID-0004" ] }, "references": [ { "category": "external", "summary": "docs.opexustech.com", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-22232" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "CSAFPID-0003" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in 11.14.2.0.", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "product_ids": [ "CSAFPID-0003" ], "date": "2025-11-29T00:00:00Z" }, { "category": "vendor_fix", "details": "Fixed in 11.14.2.0.", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "product_ids": [ "CSAFPID-0004" ], "date": "2025-11-29T00:00:00Z" } ], "acknowledgments": [ { "organization": "United States Department of Justice", "names": [ "Aaron M. Ramirez", " Son Nguyen", " Wesley Cuffee" ] } ], "release_date": "2026-01-08T00:00:00Z" }, { "cve": "CVE-2026-22233", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "summary", "text": "OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the \"Estimated Staff Hours\" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2025-12-11T18:28:18Z/" } ], "title": "OPEXUS eCASE Audit Project Cost stored XSS", "product_status": { "known_affected": [ "CSAFPID-0003" ], "fixed": [ "CSAFPID-0004" ] }, "references": [ { "category": "external", "summary": "docs.opexustech.com", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-22233" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "CSAFPID-0003" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in 11.14.2.0.", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "product_ids": [ "CSAFPID-0003" ], "date": "2025-11-29T00:00:00Z" }, { "category": "vendor_fix", "details": "Fixed in 11.14.2.0.", "url": "https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdf", "product_ids": [ "CSAFPID-0004" ], "date": "2025-11-29T00:00:00Z" } ], "acknowledgments": [ { "organization": "United States Department of Justice", "names": [ "Aaron M. Ramirez", " Son Nguyen", " Wesley Cuffee" ] } ], "release_date": "2026-01-08T00:00:00Z" } ] }