Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 contain a stored XSS vulnerability (CWE-79) in the Permissions based on Distribution Groups report. This vulnerability allows an attacker with limited privileges to inject malicious scripts that execute in the context of other users, potentially leading to disclosure or modification of sensitive information. The CVSS 3.1 base score is 7.3, reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality and integrity. The vulnerability is published and assigned CVE-2026-28756 but lacks an official remediation level or patch link at this time.

Successful exploitation of this stored XSS vulnerability can lead to unauthorized disclosure and modification of sensitive data within the application context. The vulnerability does not affect system availability. Because the attack requires some privileges and user interaction, the risk is mitigated somewhat but remains significant due to the high confidentiality and integrity impacts.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit user privileges to reduce exposure and avoid interacting with suspicious content in the affected report. Monitor ManageEngine advisories for updates regarding patches or official mitigations.