Stored XSS Vulnerability in ManageEngine Exchange Reporter Plus by Zoho Corp
CVE-2025-5366

8.1HIGH

Key Information:

Vendor: Manageengine
Status: Exchange Reporter Plus
Vendor: CVE Published:; 26 June 2025

🔔 Create Manageengine Vulnerability Alert

What is CVE-2025-5366?

ManageEngine Exchange Reporter Plus, up to version 5722, is susceptible to a Stored XSS vulnerability in the folder-wise read mails with subject report feature. This flaw allows attackers to inject malicious scripts into the application, compromising user interactions and potentially leading to data theft or unauthorized actions. It is crucial for users to apply updates and patches promptly to mitigate this risk.

Affected Version(s)

Exchange Reporter Plus 0 <= 5722

References

https://www.manageengine.com/products/exchange-reports/ad...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
May 30, 2025

Credit

Ngockhanhc311 from FPT NightWolf