Skip to main content

Microsoft EUVDEUVD-2026-18631

| CVE-2026-27655 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-03 Zohocorp
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5802
EUVD ID Assigned
Apr 03, 2026 - 12:45 euvd
EUVD-2026-18631
Analysis Generated
Apr 03, 2026 - 12:45 vuln.today
CVE Published
Apr 03, 2026 - 12:23 nvd
HIGH 7.3

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.

AnalysisAI

Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

Technical ContextAI

This vulnerability stems from insufficient input validation and output encoding (CWE-79) in the Permissions Based on Mailboxes reporting feature of ManageEngine Exchange Reporter Plus, a Microsoft Exchange monitoring and compliance tool. The affected component (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) processes user-supplied data for mailbox permission reports without properly sanitizing it before rendering in web contexts. Stored XSS occurs when malicious JavaScript is persisted in the application database or backend storage and subsequently executed in the browsers of other users viewing the compromised report. Unlike reflected XSS, the malicious payload remains embedded in the application, creating persistent attack opportunities. ManageEngine products commonly operate with elevated privileges in enterprise environments, making XSS vulnerabilities particularly dangerous as they can facilitate privilege escalation and lateral movement within Microsoft Exchange infrastructures.

RemediationAI

Upgrade ManageEngine Exchange Reporter Plus to build 5802 or later immediately to address this stored XSS vulnerability. Zohocorp has released an official patch available through standard product update channels, with full details documented in the vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-27655.html. Administrators should download the patched build from the ManageEngine customer portal and follow standard upgrade procedures, ensuring proper backup of configuration and report data before deployment. If immediate patching is not feasible, implement compensating controls: restrict access to the Permissions Based on Mailboxes reporting feature to only essential personnel, implement Content Security Policy headers to limit script execution, monitor report generation logs for suspicious activity, and educate administrators to recognize potential social engineering attempts to view unfamiliar reports. Post-remediation, audit existing Permissions Based on Mailboxes reports for suspicious embedded content and review user access logs for anomalous activity during the vulnerable period. No workaround fully mitigates stored XSS risk, making version upgrade the only complete remediation.

Share

EUVD-2026-18631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy