{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28756", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2026-03-13T11:43:54.683Z", "datePublished": "2026-04-03T11:11:37.599Z", "dateUpdated": "2026-04-04T03:55:24.331Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:11:37.599Z"}, "title": "Stored XSS Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "5802"}]}]}], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Permissions based on Distribution Groups\u00a0report.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><p>Zohocorp ManageEngine Exchange Reporter Plus&nbsp;versions before 5802 are vulnerable to&nbsp;Stored XSS&nbsp;in&nbsp;Permissions based on Distribution Groups&nbsp;report.</p></div></div>"}]}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "C311", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28756"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:55:24.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28756", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:05:54.852934Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:08:17.860Z"}}], "cna": {"title": "Stored XSS Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "C311"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Permissions based on Distribution Groups\u00a0report.", "supportingMedia": [{"type": "text/html", "value": "<div><div><p>Zohocorp ManageEngine Exchange Reporter Plus&nbsp;versions before 5802 are vulnerable to&nbsp;Stored XSS&nbsp;in&nbsp;Permissions based on Distribution Groups&nbsp;report.</p></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5802", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:11:37.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28756", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:55:24.331Z", "dateReserved": "2026-03-13T11:43:54.683Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2026-04-03T11:11:37.599Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A7FD58A-DC4B-4FBB-B20D-5050A0D321F1", "versionEndExcluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "94D09BE3-96E1-432B-9882-D7DF3C070CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*", "matchCriteriaId": "CCAB839F-E577-4CBB-9E43-DBC0BECFA8B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*", "matchCriteriaId": "53414E87-0848-4245-9D58-9A74E550E3CC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus\u00a0versions before 5802 are vulnerable to\u00a0Stored XSS\u00a0in\u00a0Permissions based on Distribution Groups\u00a0report."}], "id": "CVE-2026-28756", "lastModified": "2026-04-03T18:52:01.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T11:17:05.767", "references": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html"}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5802)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ManageEngine Exchange Reporter Plus", "source": "cna", "vendor": "Zohocorp"}, "product": "manageengine_exchange_reporter_plus", "vendor": "zohocorp"}], "analysis": {"en": {"generated_at": "2026-04-03T21:22:25.445720+00:00", "value": {"mitigation_remediation": ["Upgrade to ManageEngine Exchange Reporter Plus version 5802 or later to eliminate the storage of unsafe script payloads.", "If an immediate upgrade is not possible, restrict or remove the ability for users to create or modify Permissions based on Distribution Groups reports, limiting the attack surface.", "Implement server\u2011side input sanitization or output encoding for report content to neutralize embedded scripts.", "Deploy a Web Application Firewall rule that blocks payloads containing potentially malicious script tags or JavaScript code.", "Verify that reports render without executing injected scripts and monitor application logs for suspicious input patterns."], "summary": {"action": "Apply Patch", "impact": "Client\u2011side Script Execution via Stored XSS"}, "threat_synthesis": {"affected_systems": "Versions of ManageEngine Exchange Reporter Plus earlier than 5802, including the 5.8 series up to 5.8.5801, are affected.", "description_and_impact": "Zohocorp ManageEngine Exchange Reporter Plus stores malicious JavaScript in the Permissions based on Distribution Groups report, allowing an attacker to inject code that is rendered in the victim\u2019s browser. This stored XSS can enable credential theft, session hijacking, or defacement of the web interface, impacting the confidentiality and integrity of user data. The vulnerability is a classic client\u2011side cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 7.3 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be a web\u2011based input form used for creating or editing the Distribution Groups report; a user with sufficient privileges can submit a malicious payload that is then persistently stored and later executed when the report is viewed. If the application allows unauthenticated or low\u2011privilege users to create such reports, risk increases, otherwise the impact is limited to users with direct access to the report. The potential for both user\u2011targeted and broader compromise remains, warranting corrective action."}}}}, "created": "2026-04-03T21:14:28.049424+00:00", "updated": "2026-04-07T07:55:09.516410+00:00", "vendors": ["zohocorp", "zohocorp$PRODUCT$manageengine_exchange_reporter_plus"]}