Opexustech

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-32869 1Opexustech 1Ecase Ecomplaint Mar 30, 2026 Mar 19, 2026 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is execu...Show more OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page.Show less
CVE-2026-32868 1Opexustech 1Ecase Ecomplaint Mar 30, 2026 Mar 19, 2026 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first a...Show more OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session.Show less
CVE-2026-32867 1Opexustech 1Ecase Ecomplaint Mar 30, 2026 Mar 19, 2026 5.3 MEDIUM· v4 9.8 CRITICAL· v3 N/A· v2 OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpecte...Show more OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.Show less
CVE-2026-32866 1Opexustech 1Ecase Ecomplaint Mar 30, 2026 Mar 19, 2026 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last nam...Show more OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.Show less
CVE-2026-32865 1Opexustech 1Ecase Ecomplaint Mar 30, 2026 Mar 19, 2026 9.2 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email...Show more OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process.Show less
CVE-2026-22235 1Opexustech 1Ecase Ecomplaint Feb 18, 2026 Jan 8, 2026 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.
CVE-2026-22234 1Opexustech 1Ecase Portal Feb 18, 2026 Jan 8, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files...Show more OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files.Show less
CVE-2026-22233 1Opexustech 1Ecase Audit Feb 5, 2026 Jan 8, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCAS...Show more OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.Show less
CVE-2026-22232 1Opexustech 1Ecase Audit Feb 5, 2026 Jan 8, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in O...Show more OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.Show less
CVE-2026-22231 1Opexustech 1Ecase Audit Feb 5, 2026 Jan 8, 2026 4.8 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPE...Show more OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.Show less
CVE-2026-22230 1Opexustech 1Ecase Audit Jan 26, 2026 Jan 8, 2026 7.2 HIGH· v4 7.6 HIGH· v3 N/A· v2 OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 1...Show more OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.Show less
CVE-2025-62586 1Opexustech 1Foiaxpress Oct 29, 2025 Oct 16, 2025 8.9 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0.
CVE-2025-61999 1Opexustech 1Foiaxpress Oct 22, 2025 Oct 8, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view af...Show more OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.Show less
CVE-2025-61998 1Opexustech 1Foiaxpress Oct 22, 2025 Oct 8, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users w...Show more OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.Show less
CVE-2025-61997 1Opexustech 1Foiaxpress Oct 22, 2025 Oct 8, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other u...Show more OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.Show less
CVE-2025-61996 1Opexustech 1Foiaxpress Oct 22, 2025 Oct 8, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an A...Show more OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.Show less
CVE-2025-58462 1Opexustech 1Foiaxpress Public Access Link Sep 26, 2025 Sep 9, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the underlying database.
CVE-2025-54834 1Opexustech 1Foiaxpress Public Access Link Jan 23, 2026 Jul 31, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limitin...Show more OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.Show less
CVE-2025-54833 1Opexustech 1Foiaxpress Public Access Link Jan 23, 2026 Jul 31, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
CVE-2025-54832 1Opexustech 1Foiaxpress Public Access Link Jan 23, 2026 Jul 31, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.

12 Next