Skip to main content

Microsoft CVE-2026-4108

| EUVDEUVD-2026-18627 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp GHSA-hmvm-5r4j-5wx3
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:15 euvd
EUVD-2026-18627
Analysis Generated
Apr 03, 2026 - 12:15 vuln.today
CVE Published
Apr 03, 2026 - 11:47 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.

AnalysisAI

Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.

Technical ContextAI

This vulnerability stems from inadequate input validation and output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation) within the Non-Owner Mailbox Permission reporting module of ManageEngine Exchange Reporter Plus. The affected product (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) is an enterprise reporting and auditing solution for Microsoft Exchange environments, designed to track mailbox permissions, access patterns, and administrative activities. Stored XSS vulnerabilities occur when untrusted data is persisted in the application (typically a database) and later rendered in web pages without proper sanitization. In this context, the Non-Owner Mailbox Permission report likely displays mailbox delegation data sourced from Exchange servers, and attackers with authenticated access can inject JavaScript payloads into report parameters or data fields that persist and execute when other users view the compromised report.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to build 5802 or later, which contains fixes for the stored XSS vulnerability per the vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html. Administrator should download the latest version from the ManageEngine product portal and follow standard upgrade procedures, ensuring backups of configuration and report data before applying the patch. As an interim control while scheduling upgrades, restrict access to the Exchange Reporter Plus web interface to trusted administrator IP ranges using firewall rules or web application firewall policies, and educate users with report access about the risks of clicking unexpected links or interacting with anomalous report content. Review audit logs for suspicious report modifications or unusual authentication patterns that might indicate reconnaissance or exploitation attempts. No workarounds exist to fully mitigate stored XSS without patching, as the vulnerability resides in the core report rendering logic.

Share

CVE-2026-4108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy