CVE-2026-28756 - Vulnerability Details

Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.

Published: 2026-04-03

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Zohocorp ManageEngine Exchange Reporter Plus stores malicious JavaScript in the Permissions based on Distribution Groups report, allowing an attacker to inject code that is rendered in the victim’s browser. This stored XSS can enable credential theft, session hijacking, or defacement of the web interface, impacting the confidentiality and integrity of user data. The vulnerability is a classic client‑side cross‑site scripting flaw (CWE‑79).

Affected Systems

Versions of ManageEngine Exchange Reporter Plus earlier than 5802, including the 5.8 series up to 5.8.5801, are affected.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a web‑based input form used for creating or editing the Distribution Groups report; a user with sufficient privileges can submit a malicious payload that is then persistently stored and later executed when the report is viewed. If the application allows unauthenticated or low‑privilege users to create such reports, risk increases, otherwise the impact is limited to users with direct access to the report. The potential for both user‑targeted and broader compromise remains, warranting corrective action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Zohocorp

ManageEngine Exchange Reporter Plus

unaffected

Version	Status	Constraints
`0`	affected	< 5802

Configuration 1 [-]

OR	cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus::::::::
	cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-::::::
	cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800::::::
	cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801::::::

No data.

Vendor Product Confidence Versions

Zohocorp

Manageengine Exchange Reporter Plus

95%

Version	Status	Scheme	Platform
`[0,5802)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to ManageEngine Exchange Reporter Plus version 5802 or later to eliminate the storage of unsafe script payloads.
If an immediate upgrade is not possible, restrict or remove the ability for users to create or modify Permissions based on Distribution Groups reports, limiting the attack surface.
Implement server‑side input sanitization or output encoding for report content to neutralize embedded scripts.
Deploy a Web Application Firewall rule that blocks payloads containing potentially malicious script tags or JavaScript code.
Verify that reports render without executing injected scripts and monitor application logs for suspicious input patterns.

Generated by OpenCVE AI on April 3, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html

History

Fri, 03 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:::::: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:::::: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801::::::

Fri, 03 Apr 2026 12:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.
Title		Stored XSS Vulnerability
First Time appeared		Zohocorp Zohocorp manageengine Exchange Reporter Plus
Weaknesses		CWE-79
CPEs		cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus::::::::
Vendors & Products		Zohocorp Zohocorp manageengine Exchange Reporter Plus
References		https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus

MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published: 2026-04-03T11:11:37.599Z

Updated: 2026-04-04T03:55:24.331Z

Reserved: 2026-03-13T11:43:54.683Z

Link: CVE-2026-28756

Vulnrichment

Updated: 2026-04-03T12:08:17.860Z

NVD

Status : Analyzed

Published: 2026-04-03T11:17:05.767

Modified: 2026-04-03T18:52:01.003

Link: CVE-2026-28756

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T07:55:09Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object