CVE-2026-22234

CRITICAL 9.8

OPEXUS eCasePortal unauthenticated IDOR

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files.

CWE	CWE-639
Vendor	opexus
Product	ecase portal
Published	Jan 8, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for opexus ecase portal

Be the first to know when new critical vulnerabilities affecting opexus ecase portal are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

OPEXUS / eCase Portal

0 < 9.0.45.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cve.org: https://www.cve.org/CVERecord?id=CVE-2026-22234 raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-02.json

Credits

Zach Crosman, CISA