CVE-2026-22232

low-risk
Published 2026-01-08

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ecase Audit

Affected Vendors

Opexustech

References (3)

Release Notes https://docs.opexustech.com/docs/oig/audit/eCase_Audit_Release_Notes_11.14.2.0.p...
Broken Link https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/...
Third Party Advisory https://www.cve.org/CVERecord?id=CVE-2026-22232
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal