CVE-2026-32865

OPEXUS eComplaint and eCase insecure password reset

CVSS 9.2 CRITICALEPSS 0.3%CWE-200 CWE-640

Vexday Risk Score

28Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 9.2EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

19 mar 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Produtos afetados

OPEXUS · eCASE OPEXUS · eComplaint

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json https://www.cve.org/CVERecord?id=CVE-2026-32865