Description
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
Published: 2026-04-16
Score: 8.1 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability described in the advisory is an authenticated SQL injection flaw in the query report module of Zohocorp’s ManageEngine PAM360 and Password Manager Pro. An attacker who has valid user credentials could input malicious SQL into the report query interface, causing the database engine to execute unintended commands. Because the flaw allows execution of arbitrary SQL statements, it potentially threatens the confidentiality and integrity of the data stored in the underlying database, such as stored passwords and audit records, though the description does not detail specific downstream effects.

Affected Systems

Affected systems include Zohocorp’s ManageEngine PAM360 versions earlier than 8531 and ManageEngine Password Manager Pro versions between 8600 and 13230 inclusive. The advisory indicates that the query report module must be accessed with authenticated credentials to trigger the injection possibility.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score of 1% indicates a low but non-zero probability of exploitation in the current landscape, and the flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is authenticated; an attacker needs a legitimate account that has permissions to use the query report module. Once authenticated, the attacker can run arbitrary SQL statements against the database, potentially enabling unauthorized data retrieval or modification.

Generated by OpenCVE AI on June 18, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zohocorp ManageEngine PAM360 to version 8531 or later and ManageEngine Password Manager Pro to version 13231 or later, following the vendor’s security advisory
  • If an immediate patch is not possible, restrict or disable access to the query report module for users who do not require it
  • Apply input validation or use parameterized queries when building report queries to mitigate the underlying CWE‑89 weakness

Generated by OpenCVE AI on June 18, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
Title SQL Injection
First Time appeared Zohocorp
Zohocorp manageengine Pam360
Zohocorp manageengine Password Manager Pro
Weaknesses CWE-89
CPEs cpe:2.3:a:zohocorp:manageengine_pam360:*:*:*:*:*:*:*:*
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Pam360
Zohocorp manageengine Password Manager Pro
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Zohocorp Manageengine Pam360 Manageengine Password Manager Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-17T03:55:15.059Z

Reserved: 2026-04-08T10:55:40.854Z

Link: CVE-2026-5785

cve-icon Vulnrichment

Updated: 2026-04-16T14:25:24.637Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T14:16:18.430

Modified: 2026-06-17T10:59:38.587

Link: CVE-2026-5785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')