CVE-2026-28754
Received Received - Intake

Stored XSS in ManageEngine Exchange Reporter Plus Distribution Lists

Vulnerability report for CVE-2026-28754, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: ManageEngine

Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-07-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus to 5.8 (exc)
zohocorp manageengine_exchange_reporter_plus 5.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

Exploitation of this vulnerability can enable an attacker to perform unauthorized actions within Exchange Reporter Plus by executing malicious scripts in the context of any user who views the infected Distribution Lists report.

Since the attacker needs Exchange administrative privileges to inject the script, the impact includes potential misuse of high-level privileges and compromise of sensitive Exchange data or configurations.

Executive Summary

CVE-2026-28754 is a stored Cross-Site Scripting (XSS) vulnerability found in the Distribution Lists report of ManageEngine Exchange Reporter Plus versions 5801 and below.

This vulnerability allows an authenticated attacker with Exchange administrative privileges to inject malicious scripts that get stored and executed when other users view the compromised report.

The issue arises from improper input validation, which was fixed in build 5802 by preventing script injection.

Detection Guidance

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Distribution Lists report of Exchange Reporter Plus versions 5801 and below. Detection involves identifying if your Exchange Reporter Plus instance is running a vulnerable build.

There are no specific commands provided to detect exploitation or presence of the vulnerability on your network or system.

To check the version of Exchange Reporter Plus installed, you may need to access the application interface or check the installation details, but no explicit command-line instructions are given.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Exchange Reporter Plus to build 5802 or later, where the issue has been fixed by implementing proper input validation to prevent script injection.

Users should apply the service pack update released on March 19, 2026.

For assistance with updating or further inquiries, contacting product support or the security team is recommended.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the Distribution Lists report of Exchange Reporter Plus, which could allow an attacker to perform unauthorized actions by injecting malicious scripts.

Such unauthorized actions and potential data manipulation or exposure could impact the integrity and confidentiality of data handled by the system, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart