CVE-2026-22232 | THREATINT

Description

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.

PUBLISHED Reserved 2026-01-06 | Published 2026-01-08 | Updated 2026-01-08 | Assigner cisa-cg

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

MEDIUM: 5.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unknown

11.4.0 (custom) before 11.14.2.0

affected

11.14.2.0

unaffected

Credits

Aaron M. Ramirez, Son Nguyen, Wesley Cuffee, United States Department of Justice

References

docs.opexustech.com/...ase_Audit_Release_Notes_11.14.2.0.pdf (url) release-notes

www.cve.org/CVERecord?id=CVE-2026-22232 (url) vdb-entry

raw.githubusercontent.com/...IT/white/2025/va-26-008-01.json (url) government-resource third-party-advisory

cve.org (CVE-2026-22232)

nvd.nist.gov (CVE-2026-22232)

Download JSON