CVE-2026-3880
Published: 03 April 2026
Summary
CVE-2026-3880 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating untrusted inputs before storage, directly preventing the injection of malicious scripts into the Public Folder Client Permissions report.
SI-15 mandates filtering outputs prior to rendering, blocking executable JavaScript from being served to users viewing the report.
SI-2 ensures timely flaw remediation through patching to version 5802 or later, as recommended by the vendor to fix the stored XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability directly allows an attacker to inject and execute arbitrary JavaScript in the victim's browser when viewing the affected report, mapping to JavaScript execution under Command and Scripting Interpreter.
NVD Description
Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.
Deeper analysisAI
CVE-2026-3880 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Zoho Corporation's ManageEngine Exchange Reporter Plus versions prior to 5802. The issue affects the Public Folder Client Permissions report, where untrusted input can be stored and later rendered as executable JavaScript in users' browsers.
The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity by an authenticated attacker possessing low privileges, though it requires user interaction such as viewing the malicious report. Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser context, potentially leading to high-impact unauthorized access to sensitive data (confidentiality) or manipulation of application state (integrity), without affecting availability.
The vendor advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html provides details on mitigation, with versions 5802 and later addressing the flaw through input validation and sanitization updates. Security practitioners should prioritize upgrading affected installations and review access controls for report generation features.
Details
- CWE(s)