← back
CVE-2026-22232

OPEXUS eCASE Audit Project Setup stored XSS

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
08 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products
OPEXUS · eCASE Audit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.pdfhttps://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.jsonhttps://www.cve.org/CVERecord?id=CVE-2026-22232