CVE-2026-5785
published 2026-04-16CVE-2026-5785: Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL…
PriorityP356high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.39%
69.0th percentile
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_pam360 | < 8531 | 8531 |
| zohocorp | manageengine_password_manager_pro | 8600 – 13230 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wg7c-97pm-qp3w: Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQ
ghsa_unreviewed·2026-04-16
CVE-2026-5785 [HIGH] CWE-89 GHSA-wg7c-97pm-qp3w: Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQ
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
VulDB
Zoho ManageEngine PAM360 Query Report sql injection
vuldb·2026-04-16·CVSS 8.1
CVE-2026-5785 [HIGH] Zoho ManageEngine PAM360 Query Report sql injection
A vulnerability classified as critical has been found in Zoho ManageEngine PAM360 and ManageEngine Password Manager Pro. Impacted is an unknown function of the component Query Report Module. The manipulation leads to sql injection.
This vulnerability is listed as CVE-2026-5785. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published