Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
AnalysisAI
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.
Technical ContextAI
ManageEngine Exchange Reporter Plus is a web-based reporting and auditing solution for Microsoft Exchange Server environments, tracking mailbox usage, email traffic, and resource allocation. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS condition where user-supplied input in Equipment Mailbox Details reports is not properly sanitized before being rendered in administrators' browsers. Equipment Mailboxes in Exchange are resource accounts representing schedulable assets like conference rooms or vehicles. The affected product is identified by CPE cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* covering all versions before build 5802. The stored nature of this XSS makes it particularly dangerous as the malicious payload persists in the database and executes whenever privileged users access the affected report, unlike reflected XSS which requires per-victim social engineering.
RemediationAI
Organizations should immediately upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-supplied fixes addressing the stored XSS vulnerability in Equipment Mailbox Details reports. The official vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3879.html provides detailed upgrade instructions and release notes. Prior to patching, implement compensating controls including restricting access to report creation and modification functions to trusted administrators only, reviewing existing Equipment Mailbox reports for suspicious content or script tags, monitoring authentication logs for unauthorized access to low-privilege accounts that could inject payloads, and educating report consumers about XSS risks and unusual browser behavior when accessing reports. Apply web application firewall rules to detect and block common XSS patterns if WAF infrastructure fronts the ManageEngine instance. Post-upgrade, validate the fix by testing Equipment Mailbox Detail report functionality and reviewing audit logs for any anomalous activity during the vulnerable period.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18621
GHSA-c53v-pgpj-xcg4