Stored XSS Vulnerability in ManageEngine Exchange Reporter Plus by Zohocorp
CVE-2025-5966

8.1HIGH

Key Information:

Vendor: Manageengine
Status: Exchange Reporter Plus
Vendor: CVE Published:; 26 June 2025

🔔 Create Manageengine Vulnerability Alert

What is CVE-2025-5966?

ManageEngine Exchange Reporter Plus versions up to 5722 are susceptible to a Stored XSS vulnerability through the 'Attachments by Filename' report feature. Attackers could exploit this weakness to inject malicious scripts, potentially compromising user data and leading to unauthorized actions within the application. It is crucial for users of these affected versions to implement necessary security measures and updates to prevent exploitation.

Affected Version(s)

Exchange Reporter Plus 0 <= 5722

References

https://www.manageengine.com/products/exchange-reports/ad...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
Jun 10, 2025

Credit

Ngockhanhc311 from FPT NightWolf