CVE-2026-22233 OPEXUS CVE debrief

Who should care

Organizations using OPEXUS eCASE Audit versions prior to 11.14.2.0 should be aware of this vulnerability and take steps to remediate it. Specifically, administrators and users of OPEXUS eCASE Audit should review their system configurations and update to the latest version to prevent exploitation. Additionally, defenders should monitor for potential suspicious activity related to this vulnerability.

Technical summary

CVE-2026-22233 is a stored cross-site scripting (XSS) vulnerability in OPEXUS eCASE Audit. An authenticated attacker can inject JavaScript code as a comment in the 'Estimated Staff Hours' field, which is then executed when another user views the Project Cost tab. The vulnerability has a CVSS score of 5.5 and a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. The vulnerability was fixed in OPEXUS eCASE Audit 11.14.2.0.

Defensive priority

Defenders should prioritize remediating this vulnerability by updating OPEXUS eCASE Audit to version 11.14.2.0 or later. Additionally, defenders should monitor for potential suspicious activity related to this vulnerability.

Recommended defensive actions

• Update OPEXUS eCASE Audit to version 11.14.2.0 or later
• Monitor for potential suspicious activity related to this vulnerability
• Review system configurations to ensure proper security controls are in place
• Implement additional security measures to prevent exploitation, such as input validation and output encoding
• Consider implementing compensating controls, such as web application firewalls, to detect and prevent exploitation

Evidence notes

The vulnerability was reported by CISA and published on January 8, 2026. The vulnerability has a CVSS score of 5.5 and a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. The vulnerability was fixed in OPEXUS eCASE Audit 11.14.2.0.

Official resources