Zohocorp ManageEngine ADSelfService Plus CVE-2026-1367
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
AnalysisAI
Authenticated SQL injection in Zohocorp ManageEngine ADSelfService Plus version 6522 and earlier allows logged-in attackers to execute arbitrary SQL queries through the search report functionality, potentially leading to unauthorized data access and modification. With no patch currently available, organizations running affected versions face significant risk of data exfiltration and system compromise by authenticated users.
Technical ContextAI
Classified as CWE-89 (SQL Injection). Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Affected ProductsAI
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
RemediationAI
Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today