Platform
manageengine
Component
manageengine-exchange-reporter-plus
Fixed in
5802
CVE-2026-28703 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting ManageEngine Exchange Reporter Plus. This vulnerability allows attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report, which could then be executed by unsuspecting users. Versions prior to 5802 are affected, and a patch is available in version 5802.
Successful exploitation of CVE-2026-28703 allows an attacker to inject arbitrary JavaScript code into the 'Mails Exchanged Between Users' report within ManageEngine Exchange Reporter Plus. When a user views this report, the injected script executes in their browser context. This can lead to various malicious outcomes, including session hijacking, credential theft (if the user is logged into other applications), and redirection to phishing sites. The attacker could potentially gain control of the user's account and access sensitive email data. The blast radius extends to all users who view the compromised report.
CVE-2026-28703 was publicly disclosed on 2026-04-03. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28703 is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later, which contains the fix. If immediate upgrading is not possible, consider restricting access to the 'Mails Exchanged Between Users' report to only authorized personnel. Implement strict input validation and output encoding on all user-supplied data within the report generation process as a temporary workaround. Monitor web application firewalls (WAFs) for suspicious JavaScript injection attempts targeting the report endpoint.
Actualice ManageEngine Exchange Reporter Plus a la versión 5802 o posterior. Esta actualización corrige la vulnerabilidad XSS almacenada en el informe 'Mails Exchanged Between Users'.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28703 is a Stored XSS vulnerability in ManageEngine Exchange Reporter Plus versions 0–5802, allowing attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report.
If you are using ManageEngine Exchange Reporter Plus versions 0–5802, you are potentially affected by this vulnerability. Upgrade to version 5802 or later to mitigate the risk.
The recommended fix is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. As a temporary workaround, restrict access to the vulnerable report.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-28703, but it is important to apply the patch proactively.
Please refer to the official ManageEngine security advisory for detailed information and updates regarding CVE-2026-28703: [https://www.manageengine.com/products/exchange-reporter-plus/security-advisories.html]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.