cbcvebase.
CVE-2026-32868
published 2026-03-19

CVE-2026-32868: OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An…

PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.8th percentile
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.

Affected

3 ranges
VendorProductVersion rangeFixed in
opexusecase< 10.2.0.010.2.0.0
opexusecomplaint< 10.2.0.010.2.0.0
opexustechecase_ecomplaint< 10.2.0.010.2.0.0

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.