Skip to main content

Microsoft EUVDEUVD-2026-18621

| CVE-2026-3879 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp GHSA-c53v-pgpj-xcg4
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:00 euvd
EUVD-2026-18621
Analysis Generated
Apr 03, 2026 - 12:00 vuln.today
CVE Published
Apr 03, 2026 - 11:33 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.

AnalysisAI

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.

Technical ContextAI

ManageEngine Exchange Reporter Plus is a web-based reporting and auditing solution for Microsoft Exchange Server environments, tracking mailbox usage, email traffic, and resource allocation. This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS condition where user-supplied input in Equipment Mailbox Details reports is not properly sanitized before being rendered in administrators' browsers. Equipment Mailboxes in Exchange are resource accounts representing schedulable assets like conference rooms or vehicles. The affected product is identified by CPE cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* covering all versions before build 5802. The stored nature of this XSS makes it particularly dangerous as the malicious payload persists in the database and executes whenever privileged users access the affected report, unlike reflected XSS which requires per-victim social engineering.

RemediationAI

Organizations should immediately upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-supplied fixes addressing the stored XSS vulnerability in Equipment Mailbox Details reports. The official vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3879.html provides detailed upgrade instructions and release notes. Prior to patching, implement compensating controls including restricting access to report creation and modification functions to trusted administrators only, reviewing existing Equipment Mailbox reports for suspicious content or script tags, monitoring authentication logs for unauthorized access to low-privilege accounts that could inject payloads, and educating report consumers about XSS risks and unusual browser behavior when accessing reports. Apply web application firewall rules to detect and block common XSS patterns if WAF infrastructure fronts the ManageEngine instance. Post-upgrade, validate the fix by testing Equipment Mailbox Detail report functionality and reviewing audit logs for any anomalous activity during the vulnerable period.

Share

EUVD-2026-18621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy