CVE-2026-1367
Authenticated SQL Injection in ManageEngine ADSelfService Plus Search
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_adselfservice_plus | to 6523 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-1367 vulnerability, users should update their ADSelfService Plus instances to build 6523 or later.
This update includes proper sanitization of all database queries, which fixes the authenticated SQL injection vulnerability in the Reports module.
Applying the service pack containing this build is the recommended immediate step to prevent exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
How can this vulnerability impact me? :
This vulnerability can allow an authenticated technician to execute arbitrary SQL commands on the ADSelfService Plus database.
- Unauthorized modification of database contents.
- Potential compromise of sensitive user data managed by ADSelfService Plus.
- Disruption of password self-service and identity management functions.
- Increased risk of further security breaches due to compromised database integrity.
Can you explain this vulnerability to me?
CVE-2026-1367 is a high-severity SQL injection vulnerability found in Zoho ManageEngine ADSelfService Plus versions 6522 and below.
The vulnerability occurs in the Reports module when an authenticated technician inputs custom search parameters that are not properly validated or sanitized before being used in SQL queries.
This flaw allows authenticated technicians to execute arbitrary SQL commands on the ADSelfService Plus database, potentially leading to unauthorized modifications.
The issue was fixed in build 6523 by implementing proper sanitization of all database queries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know