{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4108", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2026-03-13T10:03:04.192Z", "datePublished": "2026-04-03T11:47:38.919Z", "dateUpdated": "2026-04-04T03:55:28.021Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:47:58.684Z"}, "title": "Stored XSS Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "5802"}]}]}], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Non-Owner Mailbox\u00a0Permission\u00a0report.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report."}]}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4108"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:55:28.021Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:26:18.378254Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:26:31.663Z"}}], "cna": {"title": "Stored XSS Vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zohocorp", "product": "ManageEngine Exchange Reporter Plus", "versions": [{"status": "affected", "version": "0", "lessThan": "5802", "versionType": "5802"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Non-Owner Mailbox\u00a0Permission\u00a0report.", "supportingMedia": [{"type": "text/html", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5802", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2026-04-03T11:47:58.684Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4108", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:55:28.021Z", "dateReserved": "2026-03-13T10:03:04.192Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2026-04-03T11:47:38.919Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A7FD58A-DC4B-4FBB-B20D-5050A0D321F1", "versionEndExcluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:-:*:*:*:*:*:*", "matchCriteriaId": "94D09BE3-96E1-432B-9882-D7DF3C070CE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5800:*:*:*:*:*:*", "matchCriteriaId": "CCAB839F-E577-4CBB-9E43-DBC0BECFA8B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:5.8:5801:*:*:*:*:*:*", "matchCriteriaId": "53414E87-0848-4245-9D58-9A74E550E3CC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in\u00a0Non-Owner Mailbox\u00a0Permission\u00a0report."}], "id": "CVE-2026-4108", "lastModified": "2026-04-03T18:23:54.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T12:16:19.207", "references": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html"}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5802)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ManageEngine Exchange Reporter Plus", "source": "cna", "vendor": "Zohocorp"}, "product": "manageengine_exchange_reporter_plus", "vendor": "zohocorp"}], "analysis": {"en": {"generated_at": "2026-04-03T15:20:42.828342+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch or upgrade to version 5802 or newer", "Restrict editing rights to the Non\u2011Owner Mailbox Permission report so only trusted administrators can create or modify entries", "Disable or delete the report feature if the product is not in active use", "Conduct an audit of recent report creation for malicious content", "Monitor web application logs for unexpected script behaviors or failed access attempts"], "summary": {"action": "Immediate Patch", "impact": "Stored XSS enabling script execution in reports"}, "threat_synthesis": {"affected_systems": "The flaw affects all ManageEngine Exchange Reporter Plus installations running versions earlier than 5802. The affected vendor is Zohocorp, and the CPE identifiers correspond to the product in question.", "description_and_impact": "Zohocorp ManageEngine Exchange Reporter Plus contains a stored cross\u2011site scripting flaw in the Non\u2011Owner Mailbox Permission report. An attacker can embed malicious JavaScript that is preserved and displayed to any user who views the report, resulting in arbitrary script execution within the victim\u2019s browser. This allows theft of session cookies, injection of forged requests, or further compromise of system integrity.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high\u2011severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting no widely known public exploit yet. Exploitation requires an authenticated attacker who can submit data to the report, likely limited to privileged users. However, the stored payload delivery combined with possible privilege escalation makes the risk significant, warranting prompt remediation."}}}}, "created": "2026-04-03T21:14:23.306165+00:00", "updated": "2026-04-03T21:16:38.191251+00:00", "vendors": ["zohocorp", "zohocorp$PRODUCT$manageengine_exchange_reporter_plus"]}