Severity: High
CVE ID: CVE-2026-12574
Affected Software Version(s): DDI Central 6.2.0 / Build 6200
Fixed Version: Build 6201
Fixed on: June 18, 2026
Details:
The ManageEngine DDI Central 6.2.0 build 6200 had a server-side HTML/JavaScript injection vulnerability in the analytics PDF generation workflow. This issue could allow an operator-level user to inject unsafe content into generated reports, potentially leading to local file disclosure through the PDF renderer.
The vulnerability has been fixed by escaping user-supplied values in analytics report templates and restricting local file access through the PDF renderer.
Impact:
Successful exploitation of this vulnerability could result in disclosure of local files through generated analytics PDF reports.
Steps to upgrade:
Update your DDI Central Console and Node Agent instances to the latest build 6201 using the service pack.
Acknowledgements:
This issue was reported by Quan.