Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
AnalysisAI
Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
Technical ContextAI
This vulnerability stems from insufficient input validation and output encoding (CWE-79) in the Permissions Based on Mailboxes reporting feature of ManageEngine Exchange Reporter Plus, a Microsoft Exchange monitoring and compliance tool. The affected component (CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus) processes user-supplied data for mailbox permission reports without properly sanitizing it before rendering in web contexts. Stored XSS occurs when malicious JavaScript is persisted in the application database or backend storage and subsequently executed in the browsers of other users viewing the compromised report. Unlike reflected XSS, the malicious payload remains embedded in the application, creating persistent attack opportunities. ManageEngine products commonly operate with elevated privileges in enterprise environments, making XSS vulnerabilities particularly dangerous as they can facilitate privilege escalation and lateral movement within Microsoft Exchange infrastructures.
RemediationAI
Upgrade ManageEngine Exchange Reporter Plus to build 5802 or later immediately to address this stored XSS vulnerability. Zohocorp has released an official patch available through standard product update channels, with full details documented in the vendor security advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-27655.html. Administrators should download the patched build from the ManageEngine customer portal and follow standard upgrade procedures, ensuring proper backup of configuration and report data before deployment. If immediate patching is not feasible, implement compensating controls: restrict access to the Permissions Based on Mailboxes reporting feature to only essential personnel, implement Content Security Policy headers to limit script execution, monitor report generation logs for suspicious activity, and educate administrators to recognize potential social engineering attempts to view unfamiliar reports. Post-remediation, audit existing Permissions Based on Mailboxes reports for suspicious embedded content and review user access logs for anomalous activity during the vulnerable period. No workaround fully mitigates stored XSS risk, making version upgrade the only complete remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18631