Is Microsoft affected by CVE-2026-3880?

ManageEngine Exchange Reporter Plus contains a stored cross-site scripting vulnerability affecting versions prior to 5802 that allows authenticated users to inject malicious scripts through reporting functionality, potentially leading to session hijacking and credential theft for administrators and…

CVE-2026-3880

EUVD-2026-18623 HIGH

2026-04-03 Zohocorp

GHSA-55qr-4rc4-w5vg

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 03, 2026 - 12:00 vuln.today

EUVD ID Assigned

Apr 03, 2026 - 12:00 euvd

EUVD-2026-18623

CVE Published

Apr 03, 2026 - 11:41 nvd

HIGH 7.3

Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.

Analysis

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.

Remediation

Within 24 hours: Identify all ManageEngine Exchange Reporter Plus instances and their current versions via asset inventory; document affected systems below version 5802. Within 7 days: Contact ManageEngine support to obtain version 5802 or later; establish a patching timeline aligned with change management procedures. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2026-3880 vulnerability details – vuln.today

Back

CVE-2026-3880

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-3880

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code