Cyber Posture

CVE-2026-4108

High

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 6.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4108 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zohocorp Manageengine Exchange Reporter Plus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely application of vendor patches, such as upgrading to ManageEngine Exchange Reporter Plus version 5802, to remediate the specific stored XSS flaw in the Non-Owner Mailbox Permission report.

SI-10 Information Input Validation good match
prevent

Mandates validation and sanitization of inputs to the Non-Owner Mailbox Permission report, preventing storage of malicious scripts that enable stored XSS.

SI-15 Information Output Filtering good match
prevent

Enforces output filtering and encoding when rendering the Non-Owner Mailbox Permission report, blocking execution of injected scripts in users' browsers.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS enables browser script execution for stealing web session cookies (T1539) and hijacking sessions to impersonate users/steal data (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Non-Owner Mailbox Permission report.

Deeper analysisAI

CVE-2026-4108 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Zohocorp ManageEngine Exchange Reporter Plus versions before 5802. The flaw resides in the Non-Owner Mailbox Permission report, where malicious input can be persistently stored and executed in users' browsers. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), reflecting high potential impacts on confidentiality and integrity with no availability disruption.

Exploitation requires an attacker to possess low privileges (PR:L) and occurs over the network (AV:N) with low attack complexity (AC:L), though it demands user interaction (UI:R) such as viewing the tainted report. Successful exploitation enables high confidentiality (C:H) and integrity (I:H) impacts within the unchanged scope (S:U), allowing attackers to steal sensitive data, manipulate content, or impersonate users via injected scripts.

ManageEngine has issued an advisory detailing the issue at https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html, recommending upgrade to version 5802 or later to mitigate the vulnerability.

Details

CWE(s)
CWE-79

Affected Products

zohocorp
manageengine exchange reporter plus
5.8 · ≤ 5.8

CVEs Like This One

CVE-2026-28703Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-27655Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28756Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28754Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3879Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-4107Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-3880Same product: Zohocorp Manageengine Exchange Reporter Plus
CVE-2026-28298Same product class: network monitoring / SIEM
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2025-11669Same product class: network monitoring / SIEM

References