Plateforme
manageengine
Composant
manageengine-exchange-reporter-plus
Corrigé dans
5802
CVE-2026-28756 is a stored Cross-Site Scripting (XSS) vulnerability discovered in ManageEngine Exchange Reporter Plus. This vulnerability allows an attacker to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking or defacement. The vulnerability affects versions prior to 5802, and a patch is available in version 5802.
Successful exploitation of CVE-2026-28756 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed within the Exchange Reporter Plus interface. The impact is particularly severe if the affected system is used by privileged users, as an attacker could potentially gain access to sensitive data or compromise the entire system. The stored nature of the XSS means the payload persists until removed, potentially affecting multiple users.
CVE-2026-28756 was publicly disclosed on 2026-04-03. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is rated HIGH (CVSS 7.3), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing ManageEngine Exchange Reporter Plus for email reporting and analysis are at risk, particularly those relying on the Permissions based on Distribution Groups report. Shared hosting environments where multiple users share the same Exchange Reporter Plus instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user's session.
• manageengine / web:
curl -s -X POST "<exchange_reporter_plus_url>/report/permissions_based_on_distribution_groups?param=<xss_payload>" | grep -i "<xss_payload>"• generic web:
curl -s -X POST "<exchange_reporter_plus_url>/report/permissions_based_on_distribution_groups?param=<xss_payload>" | grep -i "<xss_payload>"disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-28756 is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. If upgrading immediately is not possible, consider implementing input validation and output encoding on the Permissions based on Distribution Groups report to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and restrict access to the Permissions based on Distribution Groups report to limit potential exposure.
Actualice ManageEngine Exchange Reporter Plus a la versión 5802 o posterior. Esta actualización corrige la vulnerabilidad XSS almacenada en el informe de Permisos basados en Grupos de Distribución.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-28756 is a stored XSS vulnerability in ManageEngine Exchange Reporter Plus versions before 5802, allowing attackers to inject malicious scripts via the Permissions based on Distribution Groups report.
If you are using ManageEngine Exchange Reporter Plus versions 0–5802, you are potentially affected by this vulnerability. Upgrade to version 5802 to mitigate the risk.
The recommended fix is to upgrade ManageEngine Exchange Reporter Plus to version 5802 or later. Consider input validation and WAF rules as temporary mitigations.
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2026-28756, but the vulnerability is publicly known and could be targeted.
Please refer to the official ManageEngine security advisory for detailed information and updates regarding CVE-2026-28756: [https://www.manageengine.com/products/exchange-reporter-plus/security-advisories.html]
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.