Remote code execution vulnerability in the Reports module

CVE ID : CVE-2026-12507

Product NameSeverityAffected Version(s)Fixed VersionFixed On
AssetExplorerHigh7850 and below7860June 19, 2026
ServiceDesk PlusHigh15280 and below15290June 19, 2026
ServiceDesk Plus MSPHigh15140 and below15150June 22, 2026
SupportCenter PlusHigh15140 and below15150June 22, 2026

Details

A remote code execution vulnerability in the Reports module allowed authenticated users with the Create Query Reports permission to perform specially crafted database queries that could lead to malicious attacks.

Impact

This vulnerability allows a threat actor who has the Create Query Reports permission within the Reports module to perform specially crafted database queries with Jasper expressions, execute arbitrary commands, and subsequently carry out further malicious attacks.

How was it resolved?

We resolved this issue by ensuring that user input validation is configured with only the required privileges, preventing the execution of queries that trigger Jasper expressions.

Steps to upgrade

  1. Download the latest service pack of your product:
  2. Apply the latest build to your existing product installation as per the service pack instructions provided in the above links.

Acknowledgements

This vulnerability was reported by Phan Cong Anh Tuan through our bug bounty portal.

If you have any questions or concerns, please contact product support.

AssetExplorer: assetexplorer-support@manageengine.com

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP: support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com

Let's support faster, easier, and together