Opexus Ecomplaint vulnerabilities
5 known vulnerabilities affecting opexus/ecomplaint.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-32867P2CRITICALCVSS 9.8fixed in 10.1.0.02026-03-19
CVE-2026-32867 [CRITICAL] CWE-425 CVE-2026-32867: OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an e
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.
nvd
CVE-2026-32865P3CRITICALCVSS 9.8fixed in 10.1.0.02026-03-19
CVE-2026-32865 [CRITICAL] CWE-200 CVE-2026-32865: OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.
nvd
CVE-2026-22235P3HIGHCVSS 7.5fixed in 9.0.45.02026-01-08
CVE-2026-22235 [HIGH] CWE-639 CVE-2026-22235: OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' en
OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.
nvd
CVE-2026-32868P4MEDIUMCVSS 5.4fixed in 10.2.0.02026-03-19
CVE-2026-32868 [MEDIUM] CWE-79 CVE-2026-32868: OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim'
nvd
CVE-2026-32869P4MEDIUMCVSS 5.4fixed in 10.2.0.02026-03-19
CVE-2026-32869 [MEDIUM] CWE-79 CVE-2026-32869: OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of O
OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.
nvd