Skip to main content

Microsoft CVE-2026-28703

| EUVDEUVD-2026-18617 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:00 euvd
EUVD-2026-18617
Analysis Generated
Apr 03, 2026 - 12:00 vuln.today
CVE Published
Apr 03, 2026 - 11:29 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.

AnalysisAI

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.

Technical ContextAI

ManageEngine Exchange Reporter Plus is a Microsoft Exchange Server reporting and analytics solution from Zohocorp. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS weakness where user-supplied data is not properly sanitized before being stored and rendered in web reports. The affected component is specifically the 'Mails Exchanged Between Users' report feature, which likely displays email metadata or content. When malicious JavaScript is injected into report parameters or data fields, it persists in the application database and executes in the browsers of users viewing the compromised report. The CPE identifier (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*) confirms all versions prior to the fixed release are affected, indicating a long-standing input validation gap in the reporting engine's data handling routines.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. The official vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html provides download links and upgrade instructions. Organizations should prioritize patching systems accessible to less-trusted users or those processing sensitive email metadata. As interim mitigation while planning upgrades, restrict access to the 'Mails Exchanged Between Users' report feature to highly trusted administrators only, implement Content Security Policy (CSP) headers if supported, and monitor report usage logs for suspicious access patterns. No workaround fully eliminates the risk; upgrade to build 5802 is the definitive remediation.

Share

CVE-2026-28703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy