Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
AnalysisAI
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
This vulnerability affects Zohocorp ManageEngine Exchange Reporter Plus (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus), an enterprise reporting and auditing solution for Microsoft Exchange environments. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input validation and output encoding in the Distribution Lists reporting feature. Stored XSS vulnerabilities occur when user-supplied data is persisted in the application (database, file system, or other storage) and later rendered in web pages without proper sanitization. In this case, malicious JavaScript can be injected into Distribution Lists report fields, stored in the application backend, and executed in the browsers of subsequent users who access the compromised reports. This persistence distinguishes stored XSS from reflected variants and increases the attack surface, as victims need not click malicious links-simply accessing legitimate application functionality triggers the payload.
RemediationAI
Organizations should upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains fixes for this stored XSS vulnerability. The vendor-released patch is available through standard ManageEngine update channels, with detailed installation guidance provided in the official security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28754.html. As an interim mitigation for environments where immediate patching is not feasible, organizations should restrict access to the Distribution Lists reporting feature to only highly trusted administrative accounts, implement additional input validation at the network perimeter (such as web application firewall rules targeting XSS patterns), and educate users with report-viewing privileges about the risks of interacting with unexpected content or prompts within the application interface. However, these workarounds provide incomplete protection and should not be considered substitutes for applying the vendor patch. Post-remediation, administrators should audit existing Distribution Lists reports for evidence of malicious script injection and review application access logs for suspicious authenticated activity during the vulnerable period.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18615