{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3880", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2026-03-10T13:16:19.257Z", "datePublished": "2026-04-03T11:41:24.702Z", "dateUpdated": "2026-04-04T03:55:29.128Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:41:24.702Z"}, "title": "Stored XSS Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "5802"}]}]}], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Public Folder Client Permissions\u00a0report.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report."}]}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "credits": [{"lang": "en", "value": "C311", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-3880"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:55:29.128Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:47:36.596327Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:47:38.909Z"}}], "cna": {"title": "Stored XSS Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "C311"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Public Folder Client Permissions\u00a0report.", "supportingMedia": [{"type": "text/html", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5802", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:41:24.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3880", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:55:29.128Z", "dateReserved": "2026-03-10T13:16:19.257Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2026-04-03T11:41:24.702Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A7FD58A-DC4B-4FBB-B20D-5050A0D321F1", "versionEndExcluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "94D09BE3-96E1-432B-9882-D7DF3C070CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*", "matchCriteriaId": "CCAB839F-E577-4CBB-9E43-DBC0BECFA8B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*", "matchCriteriaId": "53414E87-0848-4245-9D58-9A74E550E3CC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Public Folder Client Permissions\u00a0report."}], "id": "CVE-2026-3880", "lastModified": "2026-04-03T18:27:41.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T12:16:18.933", "references": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html"}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5802)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ManageEngine Exchange Reporter Plus", "source": "cna", "vendor": "Zohocorp"}, "product": "manageengine_exchange_reporter_plus", "vendor": "zohocorp"}], "analysis": {"en": {"generated_at": "2026-04-03T21:21:33.868366+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided update to version 5802 or later. If an upgrade cannot be performed immediately, restrict or disable access to the Public Folder Client Permissions report for all but trusted administrators. Implement output sanitization or a strict content security policy to block execution of injected scripts from the report."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Zohocorp ManageEngine Exchange Reporter Plus, all releases prior to 5802, including the 5.8.x series up to 5801. These versions contain the vulnerable Public Folder Client Permissions report functionality. ", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the Public Folder Client Permissions report of Zohocorp ManageEngine Exchange Reporter Plus. The flaw allows an attacker to embed malicious scripts that run in the browsers of users who view the report, potentially enabling session hijacking, data theft, or defacement. The weakness is classified as CWE\u201179. ", "risk_and_exploitability": "The issue carries a CVSS score of 7.3, indicating high severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated or partially authenticated user inserting malicious payloads into the report that are subsequently rendered to other users who access the report. Given its impact on confidentiality and integrity within affected systems, the risk is considered high for environments that allow report generation by users with sufficient privileges."}}}}, "created": "2026-04-03T21:14:25.234540+00:00", "updated": "2026-04-07T07:55:06.640273+00:00", "vendors": ["zohocorp", "zohocorp$PRODUCT$manageengine_exchange_reporter_plus"]}