Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.
AnalysisAI
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.
Technical ContextAI
This vulnerability affects Zohocorp ManageEngine Exchange Reporter Plus (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus), a web-based reporting solution for Microsoft Exchange environments. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as cross-site scripting. The stored XSS variant persists malicious JavaScript payloads in the application database, specifically within the Permissions based on Distribution Groups reporting module. When administrators or privileged users access the compromised report, the injected script executes in their browser context with their session privileges. This represents a failure to sanitize user-controlled input before rendering it in HTML responses, a critical security control for web applications handling Exchange server data visualization.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. Download the patched release from Zohocorp's official distribution channels and follow standard upgrade procedures documented in the ManageEngine deployment guide. Review the vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html for version-specific installation notes. Post-upgrade, audit existing Distribution Groups reports for suspicious content or JavaScript payloads that may have been injected prior to patching. As a temporary risk reduction measure until patching, restrict access to the Permissions based on Distribution Groups reporting feature to only essential personnel and implement enhanced monitoring of user sessions accessing this module.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18619
GHSA-4g8c-fcmg-72qf