Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
AnalysisAI
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.
Technical ContextAI
ManageEngine Exchange Reporter Plus is a reporting and monitoring solution for Microsoft Exchange environments. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically affecting the Public Folder Client Permissions report feature. The stored XSS variant persists malicious JavaScript in the application's data store, causing it to execute whenever other users view the affected report. The CPE identifier cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus confirms this affects Zohocorp's Exchange Reporter Plus product across all versions prior to the patched release. Unlike reflected XSS, stored XSS does not require social engineering for each exploitation instance once the payload is injected, as it automatically executes for subsequent users accessing the compromised report.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. Download the patched release from the official ManageEngine product portal and follow standard upgrade procedures per vendor documentation. Zohocorp's security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html provides complete remediation guidance and release notes. If immediate patching is not feasible, implement defense-in-depth controls including restricting access to the Public Folder Client Permissions report to highly trusted administrators only, enforcing strict Content Security Policy headers, and monitoring for anomalous script injection attempts in report parameters. However, these workarounds do not eliminate the underlying vulnerability and should be considered temporary risk reduction measures pending full patch deployment.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18623
GHSA-55qr-4rc4-w5vg