Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
AnalysisAI
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.
Technical ContextAI
ManageEngine Exchange Reporter Plus is a Microsoft Exchange Server reporting and analytics solution from Zohocorp. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS weakness where user-supplied data is not properly sanitized before being stored and rendered in web reports. The affected component is specifically the 'Mails Exchanged Between Users' report feature, which likely displays email metadata or content. When malicious JavaScript is injected into report parameters or data fields, it persists in the application database and executes in the browsers of users viewing the compromised report. The CPE identifier (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*) confirms all versions prior to the fixed release are affected, indicating a long-standing input validation gap in the reporting engine's data handling routines.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. The official vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html provides download links and upgrade instructions. Organizations should prioritize patching systems accessible to less-trusted users or those processing sensitive email metadata. As interim mitigation while planning upgrades, restrict access to the 'Mails Exchanged Between Users' report feature to highly trusted administrators only, implement Content Security Policy (CSP) headers if supported, and monitor report usage logs for suspicious access patterns. No workaround fully eliminates the risk; upgrade to build 5802 is the definitive remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18617