Cyber Posture

CVE-2026-28756

High

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 5.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28756 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validating inputs to prevent storage of malicious scripts in the Permissions based on Distribution Groups report, directly mitigating the stored XSS vulnerability.

SI-15 Information Output Filtering good match
prevent

SI-15 mandates filtering information outputs to neutralize scripts when rendering the affected report, preventing execution in the viewer's context.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely flaw remediation by applying the vendor patch to version 5802, eliminating the specific stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS enables arbitrary JavaScript execution in victim browsers (T1059.007), directly facilitating web session cookie theft (T1539) and browser session hijacking (T1185) to impersonate users or steal data as described in the CVE impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.

Deeper analysisAI

CVE-2026-28756 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zoho Corp's ManageEngine Exchange Reporter Plus in versions before 5802. The issue exists in the "Permissions based on Distribution Groups" report, where malicious scripts can be stored and executed in the context of viewing users.

Exploitation requires low privileges (PR:L) and occurs over the network (AV:N) with low attack complexity (AC:L), though it demands user interaction (UI:R) such as clicking or viewing the affected report. The CVSS v3.1 base score of 7.3 (High) reflects high impacts on confidentiality (C:H) and integrity (I:H) with no availability impact (A:N) and unchanged scope (S:U), allowing attackers to steal session data, impersonate users, or manipulate report content.

ManageEngine has issued an advisory detailing the vulnerability at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html, recommending an upgrade to version 5802 or later to address the flaw.

Details

CWE(s)
CWE-79

Affected Products

zohocorp
manageengine exchange reporter plus
5.8 · ≤ 5.8

CVEs Like This One

CVE-2026-4108Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28703Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-27655Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28754Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3879Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4107Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3880Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2026-28298Same product class: network monitoring / SIEM
CVE-2025-11669Same product class: network monitoring / SIEM

References