SQL Injection Vulnerability in ManageEngine ADSelfService Plus by Zohocorp
CVE-2026-1367

8.3HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Adselfservice Plus
Vendor: CVE Published:; 23 February 2026

What is CVE-2026-1367?

ADSelfService Plus, developed by Zohocorp, is subject to an authenticated SQL Injection vulnerability within its search report feature. This flaw allows attackers to execute unauthorized SQL queries against the database, potentially leading to data exposure or manipulation. Users of versions 6522 and below should prioritize patching their installations to mitigate potential exploitation risks.

Affected Version(s)

ManageEngine ADSelfService Plus 0 < 6523

References

https://www.manageengine.com/uk/products/self-service-pas...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Jan 23, 2026

Credit

Nguyen Dang Toan

CVE-2026-1367 Data

JSON