CVE ID : CVE-2026-12507
| Product Name | Severity | Affected Version(s) | Fixed Version | Fixed On |
|---|---|---|---|---|
| AssetExplorer | High | 7850 and below | 7860 | June 19, 2026 |
| ServiceDesk Plus | High | 15280 and below | 15290 | June 19, 2026 |
| ServiceDesk Plus MSP | High | 15140 and below | 15150 | June 22, 2026 |
| SupportCenter Plus | High | 15140 and below | 15150 | June 22, 2026 |
Details
A remote code execution vulnerability in the Reports module allowed authenticated users with the Create Query Reports permission to perform specially crafted database queries that could lead to malicious attacks.
Impact
This vulnerability allows a threat actor who has the Create Query Reports permission within the Reports module to perform specially crafted database queries with Jasper expressions, execute arbitrary commands, and subsequently carry out further malicious attacks.
How was it resolved?
We resolved this issue by ensuring that user input validation is configured with only the required privileges, preventing the execution of queries that trigger Jasper expressions.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Phan Cong Anh Tuan through our bug bounty portal.
If you have any questions or concerns, please contact product support.
AssetExplorer: assetexplorer-support@manageengine.com
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com