{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1367", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2026-01-23T12:04:24.781Z", "datePublished": "2026-02-23T06:54:25.937Z", "dateUpdated": "2026-02-26T14:44:11.687Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ManageEngine ADSelfService Plus", "vendor": "Zohocorp", "versions": [{"lessThan": "6523", "status": "affected", "version": "0", "versionType": "6523"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*", "versionEndExcluding": "6523", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Dang Toan"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option."}], "value": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-02-23T06:54:25.937Z"}, "references": [{"url": "https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026-1367.html"}], "source": {"discovery": "EXTERNAL"}, "title": "SQL Injection", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T04:56:29.931620Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:11.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T04:56:29.931620Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T13:21:22.467Z"}}], "cna": {"title": "SQL Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Dang Toan"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine ADSelfService Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "6523", "versionType": "6523"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026-1367.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.", "supportingMedia": [{"type": "text/html", "value": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6523", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-02-23T06:54:25.937Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1367", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:11.687Z", "dateReserved": "2026-01-23T12:04:24.781Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2026-02-23T06:54:25.937Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option."}, {"lang": "es", "value": "Zohocorp ManageEngine ADSelfService Plus versiones 6522 e inferiores son vulnerables a inyecci\u00f3n SQL autenticada en la opci\u00f3n de informe de b\u00fasqueda."}], "id": "CVE-2026-1367", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}, "published": "2026-02-23T08:16:13.460", "references": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "url": "https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026-1367.html"}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6523)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ManageEngine ADSelfService Plus", "source": "cna", "vendor": "Zohocorp"}, "product": "manageengine_adselfservice_plus", "vendor": "zohocorp"}], "analysis": {"en": {"generated_at": "2026-04-17T16:21:09.915171+00:00", "value": {"mitigation_remediation": ["Install the latest ManageEngine ADSelfService Plus release (version 6523 or later) to contain the SQL injection flaw", "Limit user permissions so that only trusted administrators can access the search report functionality", "If the search feature is not needed, disable it via the application settings to remove the attack surface"], "summary": {"action": "Apply Patch", "impact": "Unauthorized database access and data exposure via SQL injection"}, "threat_synthesis": {"affected_systems": "The flaw affects ManageEngine ADSelfService Plus versions 6522 and earlier. These releases are bundled under the Zohocorp vendor, and the issue is not present in newer versions released after 6522.\n", "description_and_impact": "Authenticated users of Zohocorp ManageEngine ADSelfService Plus can exploit a flaw in the search report option to inject arbitrary SQL. The vulnerability allows attackers to read, modify, or delete sensitive data stored in the database, potentially leading to a compromise of confidentiality and integrity of user information. While the exact damage depends on the privileges of the attacker, the impact includes unauthorized data access and possible manipulation of system configuration.\n", "risk_and_exploitability": "With a CVSS score of 8.3, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector requires authentication and access to the search report feature, so only users with legitimate credentials and sufficient privileges can target the system."}}}}, "created": "2026-02-23T14:28:10.177026+00:00", "updated": "2026-04-17T16:30:05.825493+00:00", "vendors": ["zohocorp", "zohocorp$PRODUCT$manageengine_adselfservice_plus"]}