This vulnerability (CVE-2026-27655) affects ManageEngine Exchange Reporter Plus prior to version 5802. It is a stored cross-site scripting (CWE-79) flaw in the Permissions Based on Mailboxes report, where user input is not properly sanitized before being included in web pages. This can allow an attacker with at least low privileges and requiring user interaction to execute arbitrary scripts in the context of the affected application, potentially compromising confidentiality and integrity of data. The CVSS 3.1 vector indicates network attack vector, low attack complexity, privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity.

Successful exploitation can lead to unauthorized disclosure or modification of sensitive information within the application context. The vulnerability does not impact availability. The attacker needs some privileges and user interaction to exploit the vulnerability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is indicated, users should monitor for updates from Zohocorp and apply any released patches promptly. Until then, consider restricting access to the affected report to trusted users only and apply web application firewall rules if possible to detect and block XSS payloads targeting this component.