CVE-2026-4108 PUBLISHED

Stored XSS Vulnerability

Assigner: Zohocorp
Reserved: 13.03.2026 Published: 03.04.2026 Updated: 03.04.2026

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 7.3

Product Status

Vendor Zohocorp
Product ManageEngine Exchange Reporter Plus
Versions Default: unaffected
  • affected from 0 to 5802 (excl.)

References

Problem Types

  • CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE