CVE-2026-32866 MEDIUM

CVE-2026-32866: OPEXUS eComplaint and eCase stored XSS via profile first and last name

Vendor Opexus
Product eCASE
Weakness CWE-79 · XSS
Published March 19, 2026
Last update March 19, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 19, 2026 Record updated