{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28703", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2026-03-13T11:43:54.676Z", "datePublished": "2026-04-03T11:29:06.108Z", "dateUpdated": "2026-04-04T03:55:30.454Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:29:06.108Z"}, "title": "Stored XSS Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "5802"}]}]}], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Mails Exchanged Between Users\u00a0report.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><p>Zohocorp ManageEngine Exchange Reporter Plus&nbsp;versions before 5802 are vulnerable to&nbsp;Stored XSS&nbsp;in&nbsp;Mails Exchanged Between Users&nbsp;report.</p></div></div>"}]}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "C311", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28703"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:55:30.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:48:26.097355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:48:29.354Z"}}], "cna": {"title": "Stored XSS Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "C311"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Mails Exchanged Between Users\u00a0report.", "supportingMedia": [{"type": "text/html", "value": "<div><div><p>Zohocorp ManageEngine Exchange Reporter Plus&nbsp;versions before 5802 are vulnerable to&nbsp;Stored XSS&nbsp;in&nbsp;Mails Exchanged Between Users&nbsp;report.</p></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5802", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:29:06.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28703", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:55:30.454Z", "dateReserved": "2026-03-13T11:43:54.676Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2026-04-03T11:29:06.108Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A7FD58A-DC4B-4FBB-B20D-5050A0D321F1", "versionEndExcluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "94D09BE3-96E1-432B-9882-D7DF3C070CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*", "matchCriteriaId": "CCAB839F-E577-4CBB-9E43-DBC0BECFA8B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*", "matchCriteriaId": "53414E87-0848-4245-9D58-9A74E550E3CC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Mails Exchanged Between Users\u00a0report."}], "id": "CVE-2026-28703", "lastModified": "2026-04-03T18:50:54.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T12:16:17.490", "references": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html"}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5802)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ManageEngine Exchange Reporter Plus", "source": "cna", "vendor": "Zohocorp"}, "product": "manageengine_exchange_reporter_plus", "vendor": "zohocorp"}], "analysis": {"en": {"generated_at": "2026-04-03T21:21:58.095533+00:00", "value": {"mitigation_remediation": ["Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later", "Verify the installed version against the affected version list and apply any available vendor patches", "Review and restrict access to the Mails Exchanged Between Users report to trusted users only"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802, including the 5.8 series and sub\u2011builds 5800 and 5801, are vulnerable. Any deployment using these versions could be exposed to the vulnerability.", "description_and_impact": "A stored cross\u2011site scripting vulnerability exists in the Mails Exchanged Between Users report of ManageEngine Exchange Reporter Plus. The flaw allows an attacker to inject malicious script code that is persisted in the report data, and executed when a user views the report. This can lead to theft of session cookies, user credentials, or the execution of arbitrary actions on behalf of the victim.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.3, indicating high severity. The EPSS score is below 1%, suggesting a low current exploit probability, and it is not listed in the CISA KEV catalog. The attack is likely to occur when a malicious user crafts or injects content into the report, which is then displayed to legitimate users who open the Mails Exchanged Between Users report. The impact could enable session hijacking or other lateral actions, however the exploit would require the victim to view the compromised report. Therefore, while the risk is moderate, the potential damage is significant if users are unaware of the threat."}}}}, "created": "2026-04-03T21:14:27.131550+00:00", "title": "Stored XSS in Mails Exchanged Between Users Report in ManageEngine Exchange Reporter Plus Before Version 5802", "updated": "2026-04-07T07:55:08.531267+00:00", "vendors": ["zohocorp", "zohocorp$PRODUCT$manageengine_exchange_reporter_plus"]}