Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
Published: 2026-04-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Folder Message Count and Size report of ManageEngine Exchange Reporter Plus. Malicious code injected into the report data can be executed in a victim’s browser whenever the report is viewed, allowing an attacker to run scripts in the context of that user.

Affected Systems

Zohocorp ManageEngine Exchange Reporter Plus, versions prior to 5802—including 5.8.5800 and 5.8.5801—are affected.

Risk and Exploitability

With a CVSS score of 7.3 the flaw is considered high severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. The likely attack path involves the web interface that allows users to supply input that is stored and later rendered in the report; based on the description, it is inferred that an attacker would need some level of access to supply the malicious content, but authentication requirements are not specified.

Generated by OpenCVE AI on April 3, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later.
  • If upgrading is not immediately possible, restrict or disable the Folder Message Count and Size report until a patch is applied.
  • Apply any vendor‑issued security advisories or patches as soon as they become available.
  • Verify that user‑generated content in reports is properly sanitized or encoded to prevent similar XSS issues.

Generated by OpenCVE AI on April 3, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
Title Stored XSS Vulnerability
First Time appeared Zohocorp
Zohocorp manageengine Exchange Reporter Plus
Weaknesses CWE-79
CPEs cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Exchange Reporter Plus
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Zohocorp Manageengine Exchange Reporter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-04T03:55:26.774Z

Reserved: 2026-03-13T09:31:06.306Z

Link: CVE-2026-4107

cve-icon Vulnrichment

Updated: 2026-04-03T12:05:06.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T12:16:19.067

Modified: 2026-04-03T18:26:35.067

Link: CVE-2026-4107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:05Z

Weaknesses