{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32865", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-16T20:57:07.192Z", "datePublished": "2026-03-19T15:47:59.962Z", "dateUpdated": "2026-03-19T18:20:51.170Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "10.1.0.0", "versionType": "custom"}, {"version": "10.1.0.0", "status": "unaffected"}]}, {"vendor": "OPEXUS", "product": "eCASE", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThan": "10.1.0.0", "versionType": "custom"}, {"version": "10.1.0.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE", "cweId": "CWE-200"}]}, {"descriptions": [{"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password", "lang": "en", "type": "CWE", "cweId": "CWE-640"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:52:17.008706Z", "id": "CVE-2026-32865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "OPEXUS eComplaint and eCase insecure password reset", "references": [{"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32865"}], "credits": [{"value": "Adam Rose, CISA", "lang": "en"}], "datePublic": "2026-03-18T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:47:59.962Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T18:19:53.389115Z", "id": "CVE-2026-32865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:20:51.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T18:19:53.389115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T18:20:40.656Z"}}], "cna": {"title": "OPEXUS eComplaint and eCase insecure password reset", "credits": [{"lang": "en", "value": "Adam Rose, CISA"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T15:52:17.008706Z"}}}], "affected": [{"vendor": "OPEXUS", "product": "eComplaint", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.1.0.0"}], "defaultStatus": "affected"}, {"vendor": "OPEXUS", "product": "eCASE", "versions": [{"status": "affected", "version": "0", "lessThan": "10.1.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "10.1.0.0"}], "defaultStatus": "affected"}], "datePublic": "2026-03-18T00:00:00.000Z", "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32865", "name": "url"}], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-19T15:47:59.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32865", "state": "PUBLISHED", "dateUpdated": "2026-03-19T18:20:51.170Z", "dateReserved": "2026-03-16T20:57:07.192Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-19T15:47:59.962Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opexustech:ecase_ecomplaint:*:*:*:*:*:*:*:*", "matchCriteriaId": "00DBEB81-3517-4AB8-9437-400D59729656", "versionEndExcluding": "10.1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process."}, {"lang": "es", "value": "OPEXUS eComplaint y eCASE antes de la versi\u00f3n 10.1.0.0 incluyen el c\u00f3digo de verificaci\u00f3n secreto en la respuesta HTTP al solicitar un restablecimiento de contrase\u00f1a a trav\u00e9s de 'ForcePasswordReset.aspx'. Un atacante que conoce la direcci\u00f3n de correo electr\u00f3nico de un usuario existente puede restablecer la contrase\u00f1a y las preguntas de seguridad del usuario. Las preguntas de seguridad existentes no se solicitan durante el proceso."}], "id": "CVE-2026-32865", "lastModified": "2026-03-30T13:12:06.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-19T16:16:03.260", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32865"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-640"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.1.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ecase", "vendor": "opexus"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.1.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "10.1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "eComplaint", "source": "cna", "vendor": "OPEXUS"}, "product": "ecomplaint", "vendor": "opexus"}], "analysis": {"en": {"generated_at": "2026-03-19T17:21:24.813872+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch to upgrade to version 10.1.0.0 or later.", "If a patch is not yet available, temporarily disable or restrict access to \"ForcePasswordReset.aspx\" to prevent unauthenticated password reset attempts.", "Verify that security questions are required during the password reset process to restore proper authentication flow."], "summary": {"action": "Immediate Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "The affected products are OPEXUS:eCase and OPEXUS:eComplaint. All releases before version 10.1.0.0 are vulnerable.", "description_and_impact": "The vulnerability resides in OPEXUS eComplaint and eCase versions prior to 10.1.0.0 where the secret verification code is exposed in the HTTP response during a password reset request via \"ForcePasswordReset.aspx\". An attacker who knows a user\u2019s email address can trigger this request, obtain the verification code, and then reset the user\u2019s password and security questions without needing to answer existing security questions. This allows the attacker to gain full control over the target account, compromising both confidentiality and integrity of the user\u2019s data. The weakness is well described by CWE-200 (Information Exposure) and CWE-640 (Improper Restriction of Network Access).", "risk_and_exploitability": "With a CVSS score of 9.2 the vulnerability is considered critical. Exploitation requires no prior authentication; the attacker only needs to know a valid email address and can send the HTTP request directly to the affected endpoint. While EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the exposed secret verification code and the lack of security question prompts make exploitation straightforward and highly likely in environments where the endpoint is publicly reachable."}}}}, "created": "2026-03-20T08:56:43.749568+00:00", "updated": "2026-03-20T14:14:48.151767+00:00", "vendors": ["opexus", "opexus$PRODUCT$ecase", "opexus$PRODUCT$ecomplaint"]}