How to fix CVE-2026-4108?

Within 24 hours: Inventory all ManageEngine Exchange Reporter Plus deployments and confirm current versions below 5802. Within 7 days: Upgrade all affected instances to version 5802 or later per vendor advisory. Within 30 days: Audit Non-Owner Mailbox Permission reports for suspicious script payloads; restrict reporter access to principle-of-least-privilege users only and implement output encoding validation on custom reports.

Is Microsoft affected by CVE-2026-4108?

Zoho ManageEngine Exchange Reporter Plus contains a stored XSS vulnerability that allows authenticated users to inject malicious scripts through reporting functionality, potentially compromising session confidentiality and data integrity across the organization.

CVE-2026-4108

EUVD-2026-18627 HIGH

2026-04-03 Zohocorp

GHSA-hmvm-5r4j-5wx3

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 03, 2026 - 12:15 vuln.today

EUVD ID Assigned

Apr 03, 2026 - 12:15 euvd

EUVD-2026-18627

CVE Published

Apr 03, 2026 - 11:47 nvd

HIGH 7.3

Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.

Analysis

Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. …

Remediation

Within 24 hours: Inventory all ManageEngine Exchange Reporter Plus deployments and confirm current versions below 5802. Within 7 days: Upgrade all affected instances to version 5802 or later per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2026-4108 vulnerability details – vuln.today

Back

CVE-2026-4108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-4108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code