Skip to main content

Microsoft EUVDEUVD-2026-18615

| CVE-2026-28754 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 10:30 euvd
EUVD-2026-18615
Analysis Generated
Apr 03, 2026 - 10:30 vuln.today
CVE Published
Apr 03, 2026 - 10:08 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.

AnalysisAI

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability affects Zohocorp ManageEngine Exchange Reporter Plus (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus), an enterprise reporting and auditing solution for Microsoft Exchange environments. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input validation and output encoding in the Distribution Lists reporting feature. Stored XSS vulnerabilities occur when user-supplied data is persisted in the application (database, file system, or other storage) and later rendered in web pages without proper sanitization. In this case, malicious JavaScript can be injected into Distribution Lists report fields, stored in the application backend, and executed in the browsers of subsequent users who access the compromised reports. This persistence distinguishes stored XSS from reflected variants and increases the attack surface, as victims need not click malicious links-simply accessing legitimate application functionality triggers the payload.

RemediationAI

Organizations should upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains fixes for this stored XSS vulnerability. The vendor-released patch is available through standard ManageEngine update channels, with detailed installation guidance provided in the official security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28754.html. As an interim mitigation for environments where immediate patching is not feasible, organizations should restrict access to the Distribution Lists reporting feature to only highly trusted administrative accounts, implement additional input validation at the network perimeter (such as web application firewall rules targeting XSS patterns), and educate users with report-viewing privileges about the risks of interacting with unexpected content or prompts within the application interface. However, these workarounds provide incomplete protection and should not be considered substitutes for applying the vendor patch. Post-remediation, administrators should audit existing Distribution Lists reports for evidence of malicious script injection and review application access logs for suspicious authenticated activity during the vulnerable period.

Share

EUVD-2026-18615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy