Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Mails Exchanged Between Users report of ManageEngine Exchange Reporter Plus. The flaw allows an attacker to inject malicious script code that is persisted in the report data, and executed when a user views the report. This can lead to theft of session cookies, user credentials, or the execution of arbitrary actions on behalf of the victim.

Affected Systems

Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802, including the 5.8 series and sub‑builds 5800 and 5801, are vulnerable. Any deployment using these versions could be exposed to the vulnerability.

Risk and Exploitability

The vulnerability has a CVSS score of 7.3, indicating high severity. The EPSS score is below 1%, suggesting a low current exploit probability, and it is not listed in the CISA KEV catalog. The attack is likely to occur when a malicious user crafts or injects content into the report, which is then displayed to legitimate users who open the Mails Exchanged Between Users report. The impact could enable session hijacking or other lateral actions, however the exploit would require the victim to view the compromised report. Therefore, while the risk is moderate, the potential damage is significant if users are unaware of the threat.

Generated by OpenCVE AI on April 3, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later
  • Verify the installed version against the affected version list and apply any available vendor patches
  • Review and restrict access to the Mails Exchanged Between Users report to trusted users only

Generated by OpenCVE AI on April 3, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:30.454Z

Reserved: 2026-03-13T11:43:54.676Z

Link: CVE-2026-28703

cve-icon Vulnrichment

Updated: 2026-04-03T12:48:29.354Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:17.490

Modified: 2026-04-03T18:50:54.473

Link: CVE-2026-28703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:08Z

Weaknesses