Skip to main content

Microsoft EUVDEUVD-2026-18619

| CVE-2026-28756 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp GHSA-4g8c-fcmg-72qf
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 11:15 euvd
EUVD-2026-18619
Analysis Generated
Apr 03, 2026 - 11:15 vuln.today
CVE Published
Apr 03, 2026 - 11:11 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.

AnalysisAI

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.

Technical ContextAI

This vulnerability affects Zohocorp ManageEngine Exchange Reporter Plus (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus), a web-based reporting solution for Microsoft Exchange environments. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as cross-site scripting. The stored XSS variant persists malicious JavaScript payloads in the application database, specifically within the Permissions based on Distribution Groups reporting module. When administrators or privileged users access the compromised report, the injected script executes in their browser context with their session privileges. This represents a failure to sanitize user-controlled input before rendering it in HTML responses, a critical security control for web applications handling Exchange server data visualization.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. Download the patched release from Zohocorp's official distribution channels and follow standard upgrade procedures documented in the ManageEngine deployment guide. Review the vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html for version-specific installation notes. Post-upgrade, audit existing Distribution Groups reports for suspicious content or JavaScript payloads that may have been injected prior to patching. As a temporary risk reduction measure until patching, restrict access to the Permissions based on Distribution Groups reporting feature to only essential personnel and implement enhanced monitoring of user sessions accessing this module.

Share

EUVD-2026-18619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy