Description
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
Published: 2026-04-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL injection
Action: Apply Patch
AI Analysis

Impact

Zohocorp ManageEngine PAM360 versions prior to 8531 and ManageEngine Password Manager Pro versions from 8600 through 13230 contain an authenticated SQL injection flaw in the query report module. The vulnerability allows a user with valid credentials to inject malicious SQL statements, potentially leading to unauthorized data exfiltration, data modification, or other database compromise. This weakness is a classic example of CWE‑89, where unsanitized input is executed by the database engine.

Affected Systems

Affected products include Zohocorp’s ManageEngine PAM360 (any release before 8531) and ManageEngine Password Manager Pro (releases 8600 through 13230). These versions are vulnerable when accessed via the query report module, which requires authentication to use.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score is unavailable, and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is authenticated, requiring legitimate user credentials to exploit. Once authenticated, an attacker can execute arbitrary SQL against the backend database, potentially compromising confidentiality, integrity, and availability of stored credentials and audit data.

Generated by OpenCVE AI on April 17, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zohocorp ManageEngine PAM360 to version 8531 or later and ManageEngine Password Manager Pro to version 13231 or later, following the vendor’s security advisory
  • If an immediate patch is not feasible, restrict user access to the query report module or disable the feature for users who do not need it
  • Implement proper input validation and prefer parameterized queries for any custom extensions or scripts that interact with the database, addressing the underlying CWE‑89 weakness

Generated by OpenCVE AI on April 17, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
Title SQL Injection
First Time appeared Zohocorp
Zohocorp manageengine Pam360
Zohocorp manageengine Password Manager Pro
Weaknesses CWE-89
CPEs cpe:2.3:a:zohocorp:manageengine_pam360:*:*:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Pam360
Zohocorp manageengine Password Manager Pro
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Zohocorp Manageengine Pam360 Manageengine Password Manager Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-17T03:55:15.059Z

Reserved: 2026-04-08T10:55:40.854Z

Link: CVE-2026-5785

cve-icon Vulnrichment

Updated: 2026-04-16T14:25:24.637Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T14:16:18.430

Modified: 2026-04-17T15:17:00.957

Link: CVE-2026-5785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:00:08Z

Weaknesses