Description
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Published: 2026-02-23
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access and data exposure via SQL injection
Action: Apply Patch
AI Analysis

Impact

Authenticated users of Zohocorp ManageEngine ADSelfService Plus can exploit a flaw in the search report option to inject arbitrary SQL. The vulnerability allows attackers to read, modify, or delete sensitive data stored in the database, potentially leading to a compromise of confidentiality and integrity of user information. While the exact damage depends on the privileges of the attacker, the impact includes unauthorized data access and possible manipulation of system configuration.

Affected Systems

The flaw affects ManageEngine ADSelfService Plus versions 6522 and earlier. These releases are bundled under the Zohocorp vendor, and the issue is not present in newer versions released after 6522.

Risk and Exploitability

With a CVSS score of 8.3, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector requires authentication and access to the search report feature, so only users with legitimate credentials and sufficient privileges can target the system.

Generated by OpenCVE AI on April 17, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest ManageEngine ADSelfService Plus release (version 6523 or later) to contain the SQL injection flaw
  • Limit user permissions so that only trusted administrators can access the search report functionality
  • If the search feature is not needed, disable it via the application settings to remove the attack surface

Generated by OpenCVE AI on April 17, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 07:30:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Title SQL Injection
First Time appeared Zohocorp
Zohocorp manageengine Adselfservice Plus
Weaknesses CWE-89
CPEs cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Adselfservice Plus
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Zohocorp Manageengine Adselfservice Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-02-26T14:44:11.687Z

Reserved: 2026-01-23T12:04:24.781Z

Link: CVE-2026-1367

cve-icon Vulnrichment

Updated: 2026-02-23T13:21:22.467Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T08:16:13.460

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses