Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
AnalysisAI
Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.
Technical ContextAI
This vulnerability stems from inadequate input validation and output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation) within the Non-Owner Mailbox Permission reporting module of ManageEngine Exchange Reporter Plus. The affected product (cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) is an enterprise reporting and auditing solution for Microsoft Exchange environments, designed to track mailbox permissions, access patterns, and administrative activities. Stored XSS vulnerabilities occur when untrusted data is persisted in the application (typically a database) and later rendered in web pages without proper sanitization. In this context, the Non-Owner Mailbox Permission report likely displays mailbox delegation data sourced from Exchange servers, and attackers with authenticated access can inject JavaScript payloads into report parameters or data fields that persist and execute when other users view the compromised report.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to build 5802 or later, which contains fixes for the stored XSS vulnerability per the vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html. Administrator should download the latest version from the ManageEngine product portal and follow standard upgrade procedures, ensuring backups of configuration and report data before applying the patch. As an interim control while scheduling upgrades, restrict access to the Exchange Reporter Plus web interface to trusted administrator IP ranges using firewall rules or web application firewall policies, and educate users with report access about the risks of clicking unexpected links or interacting with anomalous report content. Review audit logs for suspicious report modifications or unusual authentication patterns that might indicate reconnaissance or exploitation attempts. No workarounds exist to fully mitigate stored XSS without patching, as the vulnerability resides in the core report rendering logic.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18627
GHSA-hmvm-5r4j-5wx3