CVE-2026-4107
Received Received - Intake

Stored XSS in ManageEngine Exchange Reporter Plus Report

Vulnerability report for CVE-2026-4107, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: ManageEngine

Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-07-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus 5.8
zohocorp manageengine_exchange_reporter_plus to 5.8 (exc)
zohocorp manageengine_exchange_reporter_plus 5.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-4107 is a high-severity stored Cross-Site Scripting (XSS) vulnerability found in Zoho ManageEngine Exchange Reporter Plus, specifically in the Folder Message Count and Size report within the Reports module.

This vulnerability affects versions with build numbers 5801 and below. An authenticated attacker who is a mailbox user within the Exchange organization can exploit this flaw to execute malicious scripts.

The issue arises because of improper input validation, allowing malicious script injection. It was fixed in build 5802 by implementing proper input validation.

Impact Analysis

Successful exploitation of this vulnerability may lead to unauthorized access to Exchange Reporter Plus by leveraging the privileges of the victim interacting with the compromised component.

This means an attacker could execute malicious scripts within the context of a legitimate user, potentially accessing sensitive information or performing unauthorized actions within the Exchange Reporter Plus environment.

Mitigation Strategies

To mitigate the CVE-2026-4107 vulnerability, users should update their Exchange Reporter Plus instances to build 5802 or later, as this update includes proper input validation to prevent malicious script injection.

If you need assistance with updating or have further inquiries, you should contact the product support or the security team.

Compliance Impact

The provided information does not specify how the CVE-2026-4107 vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart