CVE-2026-5785
Published: 16 April 2026
Summary
CVE-2026-5785 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5785 is an authenticated SQL injection vulnerability (CWE-89) in the query report module of Zoho Corp's ManageEngine PAM360 versions prior to 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230. Published on 2026-04-16, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for remote exploitation with significant impacts on data confidentiality and integrity.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables high-impact unauthorized access to sensitive data (C:H) and modification of database contents (I:H), while availability remains unaffected (A:N), potentially allowing attackers to extract or alter privileged credentials managed by these password management tools.
Mitigation requires upgrading to patched versions: ManageEngine PAM360 version 8531 or later, and ManageEngine Password Manager Pro versions beyond 13230. Additional details are available in the vendor advisory at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2026-5785.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23239
Vulnerability details
Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing password manager web app directly enables T1190 for remote exploitation; facilitates arbitrary DB queries for data access (T1213.006) and modification (T1565.001) of credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and error handling of user inputs to the query report module.
Mandates timely flaw remediation through patching to fixed versions (PAM360 8531+ or Password Manager Pro 13230+), eliminating the specific SQL injection vulnerability.
Requires vulnerability scanning that identifies SQL injection flaws like CVE-2026-5785 in ManageEngine applications for subsequent remediation.