CVE-2026-28703
Published: 03 April 2026
Summary
CVE-2026-28703 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the 'Mails Exchanged Between Users' report feature to prevent injection and persistence of malicious scripts.
Filters and encodes report outputs to prevent execution of injected XSS payloads in the browsers of other users viewing the report.
Remediates the stored XSS flaw through timely patching, such as upgrading to version 5802 or later as specified in the vendor advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables script execution in victim browsers for session cookie theft (T1539) and browser session hijacking (T1185) to impersonate users and access sensitive data.
NVD Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Mails Exchanged Between Users report.
Deeper analysisAI
CVE-2026-28703 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802. The flaw resides in the "Mails Exchanged Between Users" report feature, where malicious scripts can be injected and persisted. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidential data exposure and integrity violations.
Exploitation requires low-privileged network access (PR:L), such as an authenticated user with basic permissions. An attacker can inject a malicious payload into the affected report, which executes in the context of another user's browser upon viewing it (UI:R). Successful exploitation enables theft of sensitive information, such as session cookies or credentials, and manipulation of the victim's interactions within the application, though it does not impact availability.
Mitigation details are outlined in the vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28703.html, published on 2026-04-03. Security practitioners should upgrade to version 5802 or later and review access controls for report generation features.
Details
- CWE(s)