Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-32866

5.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 2 days, 22 hours ago

OPEXUS eComplaint and eCase stored XSS via profile first and last name

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The attacker can run script in the context of a victim's session.

References

url
url

Affected products

eCASE

<10.1.0.0
==10.1.0.0

Matching in nixpkgs

pkgs.haskellPackages.titlecase

Convert English Words to Title Case

nixos-unstable 1.0.1
- nixpkgs-unstable 1.0.1
- nixos-unstable-small 1.0.1
nixos-25.11 1.0.1
- nixos-25.11-small 1.0.1
- nixpkgs-25.11-darwin 1.0.1

pkgs.python312Packages.titlecase

Python library to capitalize strings as specified by the New York Times

nixos-25.11 2.4
- nixos-25.11-small 2.4
- nixpkgs-25.11-darwin 2.4

pkgs.python313Packages.titlecase

Python library to capitalize strings as specified by the New York Times

nixos-unstable 2.4.1
- nixpkgs-unstable 2.4.1
- nixos-unstable-small 2.4.1
nixos-25.11 2.4
- nixos-25.11-small 2.4
- nixpkgs-25.11-darwin 2.4

pkgs.python314Packages.titlecase

Python library to capitalize strings as specified by the New York Times

nixos-unstable 2.4.1
- nixpkgs-unstable 2.4.1
- nixos-unstable-small 2.4.1

Package maintainers

@peti Peter Simons <simons@cryp.to>