Skip to main content

Microsoft EUVDEUVD-2026-18623

| CVE-2026-3880 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp GHSA-55qr-4rc4-w5vg
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:00 euvd
EUVD-2026-18623
Analysis Generated
Apr 03, 2026 - 12:00 vuln.today
CVE Published
Apr 03, 2026 - 11:41 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.

AnalysisAI

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.

Technical ContextAI

ManageEngine Exchange Reporter Plus is a reporting and monitoring solution for Microsoft Exchange environments. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically affecting the Public Folder Client Permissions report feature. The stored XSS variant persists malicious JavaScript in the application's data store, causing it to execute whenever other users view the affected report. The CPE identifier cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus confirms this affects Zohocorp's Exchange Reporter Plus product across all versions prior to the patched release. Unlike reflected XSS, stored XSS does not require social engineering for each exploitation instance once the payload is injected, as it automatically executes for subsequent users accessing the compromised report.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains vendor-released patches addressing the stored XSS vulnerability. Download the patched release from the official ManageEngine product portal and follow standard upgrade procedures per vendor documentation. Zohocorp's security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html provides complete remediation guidance and release notes. If immediate patching is not feasible, implement defense-in-depth controls including restricting access to the Public Folder Client Permissions report to highly trusted administrators only, enforcing strict Content Security Policy headers, and monitoring for anomalous script injection attempts in report parameters. However, these workarounds do not eliminate the underlying vulnerability and should be considered temporary risk reduction measures pending full patch deployment.

Share

EUVD-2026-18623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy