opexustech 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk sql injection, and パス処理の欠陥 に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で ファイル上書き and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-32869 | OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case information page. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.1 | 0.03% | 2026-03-19 | 2026-03-30 |
| CVE-2026-32868 | OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is rendered. The attacker can run script in the context of a victim's session. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.1 | 0.03% | 2026-03-19 | 2026-03-30 |
| CVE-2026-32867 | OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.3 | 0.06% | 2026-03-19 | 2026-03-30 |
| CVE-2026-32866 | OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.1 | 0.03% | 2026-03-19 | 2026-03-30 |
| CVE-2026-32865 | OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.2 | 0.05% | 2026-03-19 | 2026-03-30 |
| CVE-2026-22235 | OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.7 | 0.03% | 2026-01-08 | 2026-02-18 |
| CVE-2026-22234 | OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.3 | 0.06% | 2026-01-08 | 2026-02-18 |
| CVE-2026-22233 | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.03% | 2026-01-08 | 2026-02-05 |
| CVE-2026-22232 | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.03% | 2026-01-08 | 2026-02-05 |
| CVE-2026-22231 | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.03% | 2026-01-08 | 2026-02-05 |
| CVE-2026-22230 | OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.2 | 0.04% | 2026-01-08 | 2026-01-26 |
| CVE-2025-62586 | OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.9 | 0.08% | 2025-10-16 | 2025-10-29 |
| CVE-2025-61999 | OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.02% | 2025-10-08 | 2025-10-22 |
| CVE-2025-61998 | OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.02% | 2025-10-08 | 2025-10-22 |
| CVE-2025-61997 | OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Enterprise Banner image upload field. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.02% | 2025-10-08 | 2025-10-22 |
| CVE-2025-61996 | OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content within the Annual Report Template. Injected content is executed in the context of other users when they generate an Annual Report. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.02% | 2025-10-08 | 2025-10-22 |
| CVE-2025-58462 | OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the underlying database. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.3 | 0.07% | 2025-09-09 | 2025-09-26 |
| CVE-2025-54834 | OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.9 | 0.05% | 2025-07-31 | 2026-01-23 |
| CVE-2025-54833 | OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.9 | 0.16% | 2025-07-31 | 2026-01-23 |
| CVE-2025-54832 | OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.3 | 0.19% | 2025-07-31 | 2026-01-23 |