CVE-2026-4107
published 2026-04-03CVE-2026-4107: Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.52%
40.1th percentile
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | < 5802 | 5802 |
| zohocorp | manageengine_exchange_reporter_plus | < 5.8 | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Zoho ManageEngine Exchange Reporter Plus up to 5801 Folder Message Report cross site scripting (Nessus ID 305773)
vuldb·2026-04-10·CVSS 7.3
CVE-2026-4107 [HIGH] Zoho ManageEngine Exchange Reporter Plus up to 5801 Folder Message Report cross site scripting (Nessus ID 305773)
A vulnerability was found in Zoho ManageEngine Exchange Reporter Plus up to 5801. It has been declared as problematic. This affects an unknown function of the component Folder Message Report. Such manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2026-4107. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
GHSA-h96r-c882-j4mv: Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report
ghsa_unreviewed·2026-04-03
CVE-2026-4107 [HIGH] CWE-79 GHSA-h96r-c882-j4mv: Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-28703 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-28703 [HIGH] CVE-2026-28703 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28703 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE ris
Wiz
CVE-2026-28756 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-28756 [HIGH] CVE-2026-28756 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28756 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Ge
Wiz
CVE-2026-3880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-3880 [HIGH] CVE-2026-3880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3880 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE r
Wiz
CVE-2026-3879 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-3879 [HIGH] CVE-2026-3879 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3879 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE risk ass
Wiz
CVE-2026-28754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-28754 [HIGH] CVE-2026-28754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28754 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE risk assessmen
Wiz
CVE-2026-4107 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-4107 [HIGH] CVE-2026-4107 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4107 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.
Source : NVD
## 5.4
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE risk
Wiz
CVE-2026-27655 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-27655 [HIGH] CVE-2026-27655 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27655 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE ri
Wiz
CVE-2026-4108 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-4108 [HIGH] CVE-2026-4108 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4108 :
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.
Source : NVD
## 4.8
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 7.3
Affected Technologies
Zoho ManageEngine Exchange Reporter Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus
Sources
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM No Fix Added at: Apr 06, 2026
## Get a CVE risk
2026-04-03
Published