CVE-2026-1367

Received Received - Intake

Authenticated SQL Injection in ManageEngine ADSelfService Plus Search

Publication date: 2026-02-23

Last updated on: 2026-02-23

Assigner: ManageEngine

Description

Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-23

Last Modified

2026-02-23

Generated

2026-06-16

AI Q&A

2026-02-23

EPSS Evaluated

2026-06-15

NVD

CVE-2026-1367

EUVD

EUVD-2026-7392

Affected Vendors & Products

Vendor	Product	Version / Range
zohocorp	manageengine_adselfservice_plus	to 6523 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Mitigation Strategies

To mitigate the CVE-2026-1367 vulnerability, users should update their ADSelfService Plus instances to build 6523 or later.

This update includes proper sanitization of all database queries, which fixes the authenticated SQL injection vulnerability in the Reports module.

Applying the service pack containing this build is the recommended immediate step to prevent exploitation.

Detection Guidance

I don't know

Impact Analysis

This vulnerability can allow an authenticated technician to execute arbitrary SQL commands on the ADSelfService Plus database.

Unauthorized modification of database contents.
Potential compromise of sensitive user data managed by ADSelfService Plus.
Disruption of password self-service and identity management functions.
Increased risk of further security breaches due to compromised database integrity.

Executive Summary

CVE-2026-1367 is a high-severity SQL injection vulnerability found in Zoho ManageEngine ADSelfService Plus versions 6522 and below.

The vulnerability occurs in the Reports module when an authenticated technician inputs custom search parameters that are not properly validated or sanitized before being used in SQL queries.

This flaw allows authenticated technicians to execute arbitrary SQL commands on the ADSelfService Plus database, potentially leading to unauthorized modifications.

The issue was fixed in build 6523 by implementing proper sanitization of all database queries.

Compliance Impact

I don't know

Hi! I’m here to help you understand CVE-2026-1367. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1367

Authenticated SQL Injection in ManageEngine ADSelfService Plus Search

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart