Cyber Posture

CVE-2026-28754

High

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 6.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28754 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the stored XSS flaw in ManageEngine Exchange Reporter Plus versions before 5802 by identifying, reporting, and applying vendor-provided patches.

SI-15 Information Output Filtering good match
prevent

Filters output in the Distribution Lists report to block execution of injected malicious scripts when viewed by other users.

SI-10 Information Input Validation good match
prevent

Validates inputs to the Distribution Lists functionality to reject malicious scripts before they are stored and persist for other users.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
Why these techniques?

Stored XSS directly enables injection of JS into other users' sessions (browser session hijacking, cookie theft, and use of stolen web session cookies for unauthorized actions).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.

Deeper analysisAI

CVE-2026-28754 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting Zohocorp ManageEngine Exchange Reporter Plus versions before 5802, specifically in the Distribution Lists report. Published on 2026-04-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), reflecting high severity due to its potential for confidentially and integrity impacts.

The vulnerability can be exploited by a low-privileged user (PR:L) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) such as viewing the affected report. Attackers can inject malicious scripts that persist and execute in the context of other users' browsers, enabling high confidentiality breaches (C:H), such as session hijacking or data theft, and high integrity violations (I:H), like unauthorized actions on the victim's behalf, with no availability impact (A:N).

Mitigation details are provided in the vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28754.html.

Details

CWE(s)
CWE-79

Affected Products

zohocorp
manageengine exchange reporter plus
5.8 · ≤ 5.8

CVEs Like This One

CVE-2026-3879Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4108Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28703Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-27655Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28756Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4107Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3880Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2026-28298Same product class: network monitoring / SIEM
CVE-2025-11669Same product class: network monitoring / SIEM

References