CVE-2026-22232
Unknown Unknown - Not Provided
Stored Cross-Site Scripting in OPEXUS eCASE Audit Project Setup

Publication date: 2026-01-08

Last updated on: 2026-02-05

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22232
EUVD
EUVD-2026-1489
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opexus ecase_audit 11.14.2.0
opexustech ecase_audit From 11.4.0 (inc) to 11.14.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in OPEXUS eCASE Audit. An authenticated attacker can insert malicious JavaScript code into the "A or SIC Number" field within the Project Setup functionality. This malicious script is then executed whenever another user views the affected project, potentially allowing unauthorized actions or data exposure. [1]

Impact Analysis

The vulnerability can lead to unauthorized execution of malicious scripts in the context of other users viewing the project. This can result in unauthorized actions, exposure of sensitive data, session hijacking, or other malicious activities that compromise user security and data integrity. [1]

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the "A or SIC Number" field within the Project Setup functionality of OPEXUS eCASE Audit. Detection would involve inspecting the contents of this field for injected JavaScript code. Since it is a stored XSS, monitoring HTTP responses or database entries for suspicious script tags or JavaScript code in this field can help detect exploitation. Specific commands are not provided in the resources, but typical detection might include querying the database for script tags or using web application scanning tools to test input fields for script injection. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OPEXUS eCASE Audit to version 11.14.2.0 or later, where the vulnerability is fixed by sanitizing and escaping user inputs in the affected fields to prevent stored XSS attacks. Until the upgrade, restrict authenticated user input in the "A or SIC Number" field and monitor for suspicious activity related to script injection. [1]

Compliance Impact

The vulnerability allows an authenticated attacker to inject and execute JavaScript code within the application, which could lead to unauthorized actions or data exposure. Such risks may impact compliance with standards like GDPR and HIPAA that require protection of sensitive data and prevention of unauthorized access. The fixed version includes sanitization and escaping of user inputs to prevent these stored XSS attacks, thereby helping to maintain compliance by protecting user sessions and sensitive data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart