Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
AnalysisAI
Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.
Technical ContextAI
This is a stored (persistent) XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). ManageEngine Exchange Reporter Plus is an email analytics and reporting solution for Microsoft Exchange environments that monitors mailbox usage, storage metrics, and messaging patterns. The vulnerability exists in the report generation module specifically handling Folder Message Count and Size data. Stored XSS occurs when user-supplied input (likely folder names, message attributes, or custom report parameters) is not properly sanitized before being stored in the database and subsequently rendered in HTML reports. The affected product CPE (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) indicates this is a Zohocorp product targeting Microsoft Exchange infrastructure monitoring, making it typically deployed in enterprise environments with access to sensitive email metadata and organizational communication patterns.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which remediates the stored XSS vulnerability in report generation modules. Organizations should immediately update to the vendor-released patched version following standard change management procedures. Review existing Folder Message Count and Size reports for potentially malicious injected content created before patching, particularly those generated by recently created or low-privilege user accounts. As an interim risk reduction measure if immediate patching is not feasible, restrict access to report creation and viewing functions to trusted administrative users only, and implement content security policies to mitigate XSS impact. Consult the official Zohocorp security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4107.html for additional deployment-specific guidance and verification procedures.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18625
GHSA-h96r-c882-j4mv