CRITICALCVE-2026-22234Published Modified CNA cisa-cg
CVE-2026-22234: OPEXUS eCasePortal unauthenticated IDOR
OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 9.0.45.0
- Affected Products
- 1
Fix available
9.0.45.0
Affected packages
- OPEXUS / eCase Portal< 9.0.45.0 (from 0)Fixed in 9.0.45.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N