CVE-2026-32868 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting OPEXUS eComplaint and eCASE products prior to version 10.2.0.0. The flaw exists because the application fails to properly sanitize the first and last name input fields on the 'My Information' screen. An attacker with authenticated access can inject parts of an XSS payload into these fields. When the victim’s full name is rendered in the application interface, the injected script executes in the victim’s browser context, potentially allowing session hijacking, credential theft, or other malicious actions within the victim’s session scope. The CVSS 4.0 score is 5.1 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed to trigger the payload. The vulnerability does not affect system components beyond the web interface and does not require elevated privileges, but it leverages the trust of authenticated users viewing the compromised data. No patches are currently linked, and no known exploits have been reported in the wild, but the risk remains significant for organizations relying on these products for complaint and case management.

The primary impact of this vulnerability is the potential execution of arbitrary scripts in the context of authenticated users, which can lead to session hijacking, unauthorized actions on behalf of the victim, and disclosure of sensitive information. This undermines the confidentiality and integrity of user sessions and data within the affected applications. While the availability impact is limited, attackers could use the vulnerability to perform actions that disrupt normal operations or escalate privileges indirectly. Organizations using OPEXUS eComplaint and eCASE in sectors such as government, legal, or customer service may face reputational damage, data breaches, and compliance violations if exploited. The requirement for authentication limits exposure to some extent, but insider threats or compromised accounts increase risk. The lack of known exploits currently reduces immediate threat but does not eliminate future exploitation possibilities.

Organizations should upgrade OPEXUS eComplaint and eCASE to version 10.2.0.0 or later once available to fully remediate this vulnerability. In the interim, implement strict input validation and output encoding on all user-supplied data fields, especially first and last name inputs, to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Conduct regular user training to recognize suspicious behavior and limit privilege escalation. Monitor application logs for unusual input patterns or script injection attempts. Consider implementing multi-factor authentication to reduce risk from compromised credentials. Engage with OPEXUS support for any available patches or workarounds and apply web application firewalls (WAF) with custom rules targeting XSS payloads in user input fields. Regularly review and update security policies related to web application security.