{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32865", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-16T20:57:07.192Z", "datePublished": "2026-03-19T15:47:59.962Z", "dateUpdated": "2026-03-19T18:20:51.170Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "10.1.0.0", "versionType": "custom"}, {"version": "10.1.0.0", "status": "unaffected"}]}, {"vendor": "OPEXUS", "product": "eCASE", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "10.1.0.0", "versionType": "custom"}, {"version": "10.1.0.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE", "cweId": "CWE-200"}]}, {"descriptions": [{"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", "lang": "en", "type": "CWE", "cweId": "CWE-640"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:52:17.008706Z", "id": "CVE-2026-32865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "OPEXUS eComplaint and eCase insecure password reset", "references": [{"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32865"}], "credits": [{"value": "Adam Rose, CISA", "lang": "en"}], "datePublic": "2026-03-18T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:47:59.962Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T18:19:53.389115Z", "id": "CVE-2026-32865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:20:51.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T18:19:53.389115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:20:40.656Z"}}], "cna": {"title": "OPEXUS eComplaint and eCase insecure password reset", "credits": [{"lang": "en", "value": "Adam Rose, CISA"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T15:52:17.008706Z"}}}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.1.0.0"}], "defaultStatus": "affected"}, {"vendor": "OPEXUS", "product": "eCASE", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.1.0.0"}], "defaultStatus": "affected"}], "datePublic": "2026-03-18T00:00:00.000Z", "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32865", "name": "url"}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:47:59.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32865", "state": "PUBLISHED", "dateUpdated": "2026-03-19T18:20:51.170Z", "dateReserved": "2026-03-16T20:57:07.192Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-19T15:47:59.962Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*", "matchCriteriaId": "00DBEB81-3517-4AB8-9437-400D59729656", "versionEndExcluding": "10.1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}, {"lang": "es", "value": "OPEXUS eComplaint y eCASE antes de la versi\u00f3n 10.1.0.0 incluyen el c\u00f3digo de verificaci\u00f3n secreto en la respuesta HTTP al solicitar un restablecimiento de contrase\u00f1a a trav\u00e9s de 'ForcePasswordReset.aspx'. Un atacante que conoce la direcci\u00f3n de correo electr\u00f3nico de un usuario existente puede restablecer la contrase\u00f1a y las preguntas de seguridad del usuario. Las preguntas de seguridad existentes no se solicitan durante el proceso."}], "id": "CVE-2026-32865", "lastModified": "2026-03-30T13:12:06.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-19T16:16:03.260", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32865"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-640"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.1.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ecase", "vendor": "opexus"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.1.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "eComplaint", "source": "cna", "vendor": "OPEXUS"}, "product": "ecomplaint", "vendor": "opexus"}], "analysis": {"en": {"generated_at": "2026-03-30T14:38:25.277493+00:00", "value": {"mitigation_remediation": ["Apply the vendor-supplied patch or upgrade to OPEXUS eCase and eComplaint version 10.1.0.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Account Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OPEXUS eCase and eComplaint prior to version 10.1.0.0. Any installation of these products that has not been upgraded beyond that release is susceptible.", "description_and_impact": "OPEXUS eComplaint and eCASE leak a secret verification code in the HTTP response when an account password reset is requested through the ForcePasswordReset.aspx endpoint. An attacker who knows a user\u2019s email address can use this code to reset the user\u2019s password and overwrite the security questions without being prompted for the existing questions. This flaw exposes sensitive information (CWE\u2011200) and allows unauthorized password reset (CWE\u2011640), resulting in full account takeover and compromise of confidentiality, integrity, and trust for the affected users.", "risk_and_exploitability": "The high CVSS score of 9.2 signals a critical impact, but the EPSS score of less than 1% indicates low likelihood of exploitation at this time and the issue is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack vector is inferred to be remote, via the web interface, as the vulnerable endpoint is an HTTP service. An attacker would need the target email address, which may be leaked or discovered through other means, to exploit the flaw."}}}}, "created": "2026-03-20T08:56:43.749568+00:00", "updated": "2026-03-30T20:59:08.401176+00:00", "vendors": ["opexus", "opexus$PRODUCT$ecase", "opexus$PRODUCT$ecomplaint"]}