CVE-2026-27655
Published: 03 April 2026
Summary
CVE-2026-27655 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents storage of malicious XSS payloads in the Permissions Based on Mailboxes report by requiring validation and sanitization of untrusted inputs.
Prevents execution of stored XSS scripts when higher-privileged users view the affected report by filtering information outputs prior to transmission to browsers.
Addresses the specific stored XSS flaw by mandating timely flaw remediation, such as upgrading to version 5802 or later as per the vendor advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct injection and execution of attacker-controlled scripts in victim browsers (higher-privileged users viewing the report), facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) for session takeover, data exfiltration, and unauthorized actions as described in the CVE.
NVD Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions Based on Mailboxes report.
Deeper analysisAI
CVE-2026-27655 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802. The flaw resides specifically in the "Permissions Based on Mailboxes" report feature, where untrusted input is not properly sanitized, allowing malicious scripts to be stored and later executed in users' browsers. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
An attacker requires low-privileged access (PR:L) to the affected application over the network (AV:N) with low attack complexity (AC:L). By injecting a malicious payload into the Permissions Based on Mailboxes report, the attacker can store XSS that executes when a higher-privileged or unsuspecting user views the report, requiring user interaction (UI:R). Successful exploitation enables high-impact confidentiality breaches, such as session hijacking or data theft, and integrity violations like account takeover or unauthorized actions, without affecting availability.
Mitigation details are outlined in the vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-27655.html, which was published alongside the CVE on 2026-04-03. Security practitioners should upgrade to version 5802 or later, as affected versions before this release remain vulnerable to exploitation.
Details
- CWE(s)