Skip to main content

Microsoft CVE-2026-4107

| EUVDEUVD-2026-18625 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp GHSA-h96r-c882-j4mv
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:00 euvd
EUVD-2026-18625
Analysis Generated
Apr 03, 2026 - 12:00 vuln.today
CVE Published
Apr 03, 2026 - 11:44 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.

AnalysisAI

Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.

Technical ContextAI

This is a stored (persistent) XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). ManageEngine Exchange Reporter Plus is an email analytics and reporting solution for Microsoft Exchange environments that monitors mailbox usage, storage metrics, and messaging patterns. The vulnerability exists in the report generation module specifically handling Folder Message Count and Size data. Stored XSS occurs when user-supplied input (likely folder names, message attributes, or custom report parameters) is not properly sanitized before being stored in the database and subsequently rendered in HTML reports. The affected product CPE (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) indicates this is a Zohocorp product targeting Microsoft Exchange infrastructure monitoring, making it typically deployed in enterprise environments with access to sensitive email metadata and organizational communication patterns.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which remediates the stored XSS vulnerability in report generation modules. Organizations should immediately update to the vendor-released patched version following standard change management procedures. Review existing Folder Message Count and Size reports for potentially malicious injected content created before patching, particularly those generated by recently created or low-privilege user accounts. As an interim risk reduction measure if immediate patching is not feasible, restrict access to report creation and viewing functions to trusted administrative users only, and implement content security policies to mitigate XSS impact. Consult the official Zohocorp security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4107.html for additional deployment-specific guidance and verification procedures.

Share

CVE-2026-4107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy