Patches stored XSS in Exchange Reporter Plus permission report

2 min readPublished 03 Apr 2026Updated 03 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-4108 News Web Security XSS

TL;DR — A stored XSS bug in a high-privilege Exchange reporting console can let an authenticated admin inject JavaScript that runs when others view the impacted report, enabling in-app actions as the victim.

What happened

ManageEngine Exchange Reporter Plus is an on-prem reporting/auditing product used to generate Exchange/Exchange Online reports for administrators.

CVE-2026-4108 describes a stored cross-site scripting (XSS) vulnerability in the Non-Owner Mailbox Permission report within the Reports module. Per the vendor’s advisory, an authenticated attacker with Exchange administrative privileges within the Exchange organization could inject and execute malicious scripts, and successful exploitation may let the attacker perform actions in Exchange Reporter Plus based on the privileges of the victim who later accesses the affected report.

The CVE record scores this CVSS v3.1 7.3 (High) and indicates affected versions are prior to build 5802 (i.e., builds < 5802). Stored XSS in admin/reporting consoles is a common pivot point for credential theft and privilege chaining because it targets workflows where privileged users routinely view attacker-influenced content.

Who is impacted

Organizations running ManageEngine Exchange Reporter Plus builds < 5802.
Highest risk environments are those where multiple administrators/analysts view shared reports and where Exchange admin credentials are broadly distributed (increasing the chance of an initial authenticated foothold).

Component	Affected versions (per CVE record / vendor advisory)	Fixed version referenced by vendor
`ManageEngine Exchange Reporter Plus`	Builds `< 5802` (vendor: `5801` and below)	`5802`

What to do now

Follow vendor remediation guidance and apply the vendor’s update.
- "Update your Exchange Reporter Plus instance to build 5802 or later using the service pack."
Treat this as an admin-session integrity risk: review who can influence data rendered in the affected report and reduce/segment Exchange administrative privileges where feasible.
If compromise is suspected, hunt for indicators consistent with stored XSS in reporting UIs (unexpected HTML/JS payloads in stored fields that are rendered in reports) and review Exchange Reporter Plus access/audit logs around report views and admin activity.
After updating, re-test the affected report viewing flows (especially for multi-admin environments) to ensure injected markup/scripts are not persisted or executed.

Additional Information

Vendor advisory: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-4108.html

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.