CVE-2026-1367
published 2026-02-23CVE-2026-1367: Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
PriorityP260high8.3CVSS 3.1
AVNACLPRLUINSUCHIHAL
EPSS
7.87%
94.0th percentile
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | < 6523 | 6523 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is an authenticated SQL Injection in the search report option of ManageEngine ADSelfService Plus — monitor HTTP requests to the search report endpoint for SQL metacharacters or injection payloads from authenticated sessions. ↗
- ·Exploitation requires authentication; attack surface is limited to authenticated users but the CVSS score is HIGH (8.3), indicating significant post-auth impact. Patch to version 6523 or above (fix added Feb 24, 2026). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-1367 [MEDIUM] CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1367 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Source : NVD
## 8.3
Score
Published February 23, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54.7
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-11250 [MEDIUM] CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11250 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Source : NVD
## 9.1
Score
Published January 13, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 14, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 30, 2026
## Get a CVE
Bugzilla
CVE-2026-43140 kernel: HID: magicmouse: Do not crash on missing msc->input
bugzilla·2026-05-06
CVE-2026-43140 [MEDIUM] CVE-2026-43140 kernel: HID: magicmouse: Do not crash on missing msc->input
CVE-2026-43140 kernel: HID: magicmouse: Do not crash on missing msc->input
In the Linux kernel, the following vulnerability has been resolved:
HID: magicmouse: Do not crash on missing msc->input
Fake USB devices can send their own report descriptors for which the
input_mapping() hook does not get called. In this case, msc->input stays NULL,
leading to a crash at a later time.
Detect this condition in the input_configured() hook and reject the device.
This is not supposed to happen with actual magic mouse devices, but can be
provoked by imposing as a magic mouse USB device.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050624-CVE-2026-43140-1367@gregkh/T
2026-02-23
Published