{"document": {"category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": {"category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/"}, "title": "OPEXUS eComplaint and eCase multiple vulnerabilities", "tracking": {"current_release_date": "2026-03-19T14:47:43Z", "generator": {"engine": {"name": "VINCE-NT", "version": "1.13.0+build.51"}}, "id": "VA-26-077-01", "initial_release_date": "2026-03-19T14:47:43Z", "status": "final", "version": "1.0.0", "revision_history": [{"number": "1.0.0", "summary": "Initial publication", "date": "2026-03-19T14:47:43Z"}]}, "distribution": {"tlp": {"label": "WHITE"}}, "notes": [{"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer"}, {"text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other"}, {"text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other"}, {"text": "OPEXUS eComplaint and eCase contain multiple vulnerabilities. In the worst case, an unauthenticated attacker could take over any account with a known username.", "title": "Risk Evaluation", "category": "summary"}, {"text": "Update to OPEXUS eCase and eComplaint 10.1.0.0.", "title": "Recommended Practices", "category": "general"}, {"text": "United States", "title": "Company Headquarters Location", "category": "other"}], "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "summary": "Vulnerability Advisory VA-26-077-01 CSAF", "category": "self"}]}, "product_tree": {"branches": [{"category": "vendor", "name": "OPEXUS", "branches": [{"category": "product_name", "name": "eCASE", "branches": [{"category": "product_version_range", "name": "<10.1.0.0", "product": {"name": "OPEXUS eCASE <10.1.0.0", "product_id": "CSAFPID-0001"}}, {"category": "product_version", "name": "10.1.0.0", "product": {"name": "OPEXUS eCASE 10.1.0.0", "product_id": "CSAFPID-0002"}}, {"category": "product_version_range", "name": "<10.2.0.0", "product": {"name": "OPEXUS eCASE <10.2.0.0", "product_id": "CSAFPID-0003"}}, {"category": "product_version", "name": "10.2.0.0", "product": {"name": "OPEXUS eCASE 10.2.0.0", "product_id": "CSAFPID-0004"}}]}, {"category": "product_name", "name": "eComplaint", "branches": [{"category": "product_version_range", "name": "<10.2.0.0", "product": {"name": "OPEXUS eComplaint <10.2.0.0", "product_id": "CSAFPID-0005"}}, {"category": "product_version", "name": "10.2.0.0", "product": {"name": "OPEXUS eComplaint 10.2.0.0", "product_id": "CSAFPID-0006"}}, {"category": "product_version_range", "name": "<10.1.0.0", "product": {"name": "OPEXUS eComplaint <10.1.0.0", "product_id": "CSAFPID-0007"}}, {"category": "product_version", "name": "10.1.0.0", "product": {"name": "OPEXUS eComplaint 10.1.0.0", "product_id": "CSAFPID-0008"}}]}]}]}, "vulnerabilities": [{"cve": "CVE-2026-32865", "cwe": {"id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor"}, "notes": [{"category": "summary", "text": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:T/2026-03-03T15:52:17Z/"}], "title": "OPEXUS eComplaint and eCase insecure password reset", "product_status": {"known_affected": ["CSAFPID-0007", "CSAFPID-0001"], "fixed": ["CSAFPID-0008", "CSAFPID-0002"]}, "references": [{"category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32865"}], "scores": [{"cvss_v3": {"baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "products": ["CSAFPID-0007", "CSAFPID-0001"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0007"]}, {"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0008"]}, {"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0001"]}, {"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0002"]}], "acknowledgments": [{"organization": "CISA", "names": ["Adam Rose"]}], "release_date": "2026-03-18T00:00:00Z"}, {"cve": "CVE-2026-32866", "cwe": {"id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}, "notes": [{"category": "summary", "text": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2026-03-03T15:53:18Z/"}], "title": "OPEXUS eComplaint and eCase stored XSS via profile first and last name", "product_status": {"known_affected": ["CSAFPID-0001"], "fixed": ["CSAFPID-0002"]}, "references": [{"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32866"}, {"category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}], "scores": [{"cvss_v3": {"baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "products": ["CSAFPID-0001"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0001"]}, {"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0002"]}], "acknowledgments": [{"organization": "CISA", "names": ["Adam Rose"]}], "release_date": "2026-03-18T00:00:00Z"}, {"cve": "CVE-2026-32867", "cwe": {"id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key"}, "notes": [{"category": "summary", "text": "OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:Y/T:P/2026-03-04T18:26:56Z/"}], "title": "OPEXUS eComplaint unauthenticated file upload", "product_status": {"known_affected": ["CSAFPID-0007"], "fixed": ["CSAFPID-0008"]}, "references": [{"category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32867"}], "scores": [{"cvss_v3": {"baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "products": ["CSAFPID-0007"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0007"]}, {"category": "vendor_fix", "details": "Fixed in 10.1.0.0.", "product_ids": ["CSAFPID-0008"]}], "acknowledgments": [{"organization": "CISA", "names": ["Adam Rose"]}], "release_date": "2026-03-18T00:00:00Z"}, {"cve": "CVE-2026-32868", "cwe": {"id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}, "notes": [{"category": "summary", "text": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2026-03-03T15:53:56Z/"}], "title": "OPEXUS eComplaint and eCASE XSS via my information", "product_status": {"known_affected": ["CSAFPID-0005", "CSAFPID-0003"], "fixed": ["CSAFPID-0006", "CSAFPID-0004"]}, "references": [{"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32868"}, {"category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}], "scores": [{"cvss_v3": {"baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "products": ["CSAFPID-0005", "CSAFPID-0003"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 10.2.0.0", "product_ids": ["CSAFPID-0005"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0", "product_ids": ["CSAFPID-0006"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0.", "product_ids": ["CSAFPID-0003"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0.", "product_ids": ["CSAFPID-0004"], "date": "2026-03-05T00:00:00Z"}], "acknowledgments": [{"organization": "CISA", "names": ["Adam Rose"]}], "release_date": "2026-03-18T00:00:00Z"}, {"cve": "CVE-2026-32869", "cwe": {"id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}, "notes": [{"category": "summary", "text": "OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the \"Name of Organization\" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2026-03-03T15:54:17Z/"}], "title": "OPEXUS eComplaint and eCASE XSS via Name of Organization field", "product_status": {"known_affected": ["CSAFPID-0005", "CSAFPID-0003"], "fixed": ["CSAFPID-0006", "CSAFPID-0004"]}, "references": [{"category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32869"}], "scores": [{"cvss_v3": {"baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "products": ["CSAFPID-0005", "CSAFPID-0003"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 10.2.0.0", "product_ids": ["CSAFPID-0005"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0", "product_ids": ["CSAFPID-0006"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0.", "product_ids": ["CSAFPID-0003"], "date": "2026-03-05T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 10.2.0.0.", "product_ids": ["CSAFPID-0004"], "date": "2026-03-05T00:00:00Z"}], "acknowledgments": [{"organization": "CISA", "names": ["Adam Rose"]}], "release_date": "2026-03-18T00:00:00Z"}]}