Cyber Posture

CVE-2026-4107

High

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4107 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates inputs to the Folder Message Count and Size report to prevent injection and storage of malicious scripts.

SI-15 Information Output Filtering good match
prevent

Filters output from the affected report to prevent execution of stored malicious scripts in viewers' browsers.

SI-2 Flaw Remediation good match
prevent

Requires timely application of vendor patches, such as upgrading to version 5802, to remediate the specific XSS flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1056.003 Web Portal Capture Collection
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
attack.mitre.org →
Why these techniques?

Stored XSS enables injection of scripts that execute in admins' browsers upon viewing the report, directly facilitating browser session hijacking (T1185), stealing web session cookies (T1539), and capturing web portal credentials/input (T1056.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Folder Message Count and Size report.

Deeper analysisAI

CVE-2026-4107 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802. The issue resides specifically in the Folder Message Count and Size report, where malicious scripts can be persistently stored. Published on 2026-04-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), reflecting high potential impacts on confidentiality and integrity over a network with low attack complexity.

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability remotely (AV:N) by injecting malicious payloads into the affected report. Exploitation requires user interaction (UI:R), typically when a higher-privileged administrator views the tampered report, triggering script execution in the victim's browser context within the unchanged security scope (S:U). Successful attacks enable high confidentiality breaches, such as session hijacking or data exfiltration, and integrity violations like unauthorized modifications.

The official ManageEngine advisory at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4107.html details mitigation, recommending an upgrade to version 5802 or later, which addresses the vulnerability.

Details

CWE(s)
CWE-79

Affected Products

zohocorp
manageengine exchange reporter plus
5.8 · ≤ 5.8

CVEs Like This One

CVE-2026-4108Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28703Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-27655Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28756Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28754Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3879Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3880Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2026-28298Same product class: network monitoring / SIEM
CVE-2025-11669Same product class: network monitoring / SIEM

References