CVE-2026-28754
Stored XSS in ManageEngine Exchange Reporter Plus Distribution Lists
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | to 5.8 (exc) |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can enable an attacker to perform unauthorized actions within Exchange Reporter Plus by executing malicious scripts in the context of any user who views the infected Distribution Lists report.
Since the attacker needs Exchange administrative privileges to inject the script, the impact includes potential misuse of high-level privileges and compromise of sensitive Exchange data or configurations.
Can you explain this vulnerability to me?
CVE-2026-28754 is a stored Cross-Site Scripting (XSS) vulnerability found in the Distribution Lists report of ManageEngine Exchange Reporter Plus versions 5801 and below.
This vulnerability allows an authenticated attacker with Exchange administrative privileges to inject malicious scripts that get stored and executed when other users view the compromised report.
The issue arises from improper input validation, which was fixed in build 5802 by preventing script injection.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Distribution Lists report of Exchange Reporter Plus versions 5801 and below. Detection involves identifying if your Exchange Reporter Plus instance is running a vulnerable build.
There are no specific commands provided to detect exploitation or presence of the vulnerability on your network or system.
To check the version of Exchange Reporter Plus installed, you may need to access the application interface or check the installation details, but no explicit command-line instructions are given.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update Exchange Reporter Plus to build 5802 or later, where the issue has been fixed by implementing proper input validation to prevent script injection.
Users should apply the service pack update released on March 19, 2026.
For assistance with updating or further inquiries, contacting product support or the security team is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the Distribution Lists report of Exchange Reporter Plus, which could allow an attacker to perform unauthorized actions by injecting malicious scripts.
Such unauthorized actions and potential data manipulation or exposure could impact the integrity and confidentiality of data handled by the system, which are critical aspects of compliance with standards like GDPR and HIPAA.
However, the provided information does not explicitly detail the direct effects on compliance with these regulations.