Platform
manageengine
Component
manageengine-exchange-reporter-plus
Opgelost in
5802
CVE-2026-28754 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in ManageEngine Exchange Reporter Plus. This vulnerability allows an attacker to inject malicious scripts into the Distribution Lists report, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions prior to 5802, and a patch is available in version 5802.
Successful exploitation of CVE-2026-28754 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or modify the content of the application. Given that Exchange Reporter Plus often handles sensitive email data, a compromised session could expose confidential information. The impact is particularly severe if the application is used by privileged users, as an attacker could potentially gain administrative access to the system.
CVE-2026-28754 was publicly disclosed on 2026-04-03. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The likelihood of exploitation is considered medium, given the ease of XSS exploitation and the potential impact on sensitive data.
Organizations utilizing ManageEngine Exchange Reporter Plus versions 0–5802, particularly those handling sensitive email data or with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same Exchange Reporter Plus instance are also particularly vulnerable.
• manageengine: Examine Exchange Reporter Plus logs for unusual JavaScript execution patterns or suspicious URL parameters in Distribution Lists report requests.
Get-WinEvent -LogName Application -FilterXPath "/Event[System[Provider[@Name='ManageEngine Exchange Reporter Plus']]]" | Where-Object {$_.Message -match "Distribution Lists report"}disclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-28754 is to upgrade to version 5802 or later of ManageEngine Exchange Reporter Plus. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the Distribution Lists report to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update WAF rules to ensure they are effective against known XSS attack patterns.
Actualizar ManageEngine Exchange Reporter Plus a la versión 5802 o superior. Esta actualización corrige la vulnerabilidad XSS almacenada en los informes de Listas de Distribución.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-28754 is a stored XSS vulnerability affecting ManageEngine Exchange Reporter Plus versions before 5802, allowing attackers to inject malicious scripts via the Distribution Lists report.
If you are using ManageEngine Exchange Reporter Plus versions 0–5802, you are potentially affected by this vulnerability. Upgrade to version 5802 to mitigate the risk.
The recommended fix is to upgrade to version 5802 or later of ManageEngine Exchange Reporter Plus. Consider temporary WAF rules as an interim measure.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Please refer to the official ManageEngine security advisory for detailed information and updates: [https://www.manageengine.com/products/exchange-reporter-plus/security-advisories.html]
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.