This page contains a list of all security vulnerabilities fixed in OpManager along with its CVE ID and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.
| CVE / ZVE ID | Synopsis | Severity | Fixed in version | Link to latest build |
|---|---|---|---|---|
| ZVE-2025-7373 | General : A DOM-based XSS vulnerability was identified in Upgrade Manager Settings due to improper handling of message data in HTML. This issue has now been fixed. (Reported by Daniel Santos) | High | 128665/ 128633 / 128589 | Download |
| ZVE-2025-7390 | OpManager : A Command Injection vulnerability was detected in the Notification Profiles module. This has now been fixed. (Reported by Daniel Santos) | High | 128665 / 128634 / 128589 | |
| CVE-2025-9226 | OpManager: The stored Cross-Site Scripting (XSS) vulnerability allowed authenticated, low-privileged user with permission to modify subnet details to inject malicious JavaScript payloads. This has been fixed. (Reported by tuannq x ngockhanhc311. Refer CVE-2025-9226) | Medium | 128610 / 128598 / 128543 / 128466 | |
| CVE-2025-9227 | OpManager : A Stored Cross-Site Scripting (XSS) vulnerability was identified in the description field of the SNMP Trap Processor module. This issue has now been fixed. (Reported by tuannq x ngockhanhc311. Refer CVE-2025-9227) | Medium | 128610 / 128598 / 128588 / 128543 / 128466 | |
| CVE-2025-41437 | General: A reflected XSS vulnerability was discovered on the Login page. This issue has now been resolved. (Reported by Andrey Alekseev - Positive Technologies). | Medium | 128566 / 128555 / 128542 / 128463 | |
| CVE-2024-9871 | General: A potential privilege escalation vulnerability existed due to incorrect permissions on the product's temporary directory. This allowed for arbitrary file deletion and local privilege escalation. This issue has been resolved by implementing appropriate Access Control Lists on the affected directory. (Reported by Crispr Xiang) | Medium | 128511 / 128461 / 128405 | |
| CVE-2024-5466 | OpManager: A Remote Code Execution (RCE) vulnerability could be exploited by users with 'Write' access to the 'Deploy Agent' action in the UI. This has been fixed now. (Reported by Daniel Santos) | High | 128330 / 128320 / 128188 / 128268 | |
| CVE-2024-6748 | OpManager: The SQL injection vulnerability identified in the URL Monitoring has now been fixed. (Reported by: CrisprXiang, Cokebeer, and LFY) | High | 128318/ 128186/ 128267 | |
| CVE-2024-38870 | OpManager: A stored XSS vulnerability was discovered in Schedule reports. This has now been fixed. (Reported by Muhammed Mekkawy. Refer:CVE-2024-38870) | Medium | 128104/ 128238/ 128250 | |
| CVE-2024-36038 | The stored XSS vulnerabilities was identified with the configured proxy server from 128234 version, have now been fixed. (Reported by Muhammed Mekkawy.) | High | 128249 | |
| ZVE-2024-1132 | Previously, CSRF vulnerability (ZVE-2024-1132) was detected where the external users were able to utilize the network tools without authentication to perform ping or SNMP ping on network devices. This has now been fixed. (Reported by Jayateertha Guruprasad). | Medium | 128103/ 128247 | |
| CVE-2023-47211 | Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. | High | 127260/ 127248/ 127194/ 127193 | |
| CVE-2023-29505 | Previously, a WebSocket connection was affected by a Cross-site WebSocket hijacking vulnerability. This issue has been fixed by validating the origin of the websocket request. | Low | 127131 / 127120 / 127109 | |
| CVE-2023-31099 | Enterprise Edition: Remote code execution vulnerability was identified during the data transfer in the Enterprise Edition. This has been fixed now. | High | 126324 | |
| ZVE-2023-0284 | OpManager : The Stored XSS vulnerability issues, that lead to JS injection, and were identified in the URL Monitors, have been fixed now. (Reported by Ranjit Pahan). | Medium | 126279 / 126155 / 126263 | |
| CVE-2022-43473 | OpManager : Previously, there was an XML External Entity (XXE) vulnerability in UCS module. It has been fixed now. (Reported by Cisco Talos-Marcin Noga) | Medium | 126141 / 126154/ 126169 | |
| CVE-2022-37024 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | High | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-38772 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | High | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-36923 | A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) | Critical | 126118 / 126104 / 126002 / 125657 | |
| CVE-2022-35404 | Unauthorized creation of files lead to high resource consumption. This has been fixed now.(Reported by Tenable) | Medium | 125639/ 125655/ 126101 | |
| CVE-2022-29535 | The SQL injection vulnerability issues identified in few default reports have been fixed now. (Reported by Anh Vu) | High | 125589/ 125604/ 125629 | |
| CVE-2022-27908 | Earlier, an SQL injection vulnerability was noticed in the Inventory Reports module. It has been fixed now. | High | 125588/ 125603 | |
| CVE-2022-24703 | Earlier, there was a stored XSS vulnerability in the Schedule name field of Schedule page. This issue is fixed now. | Medium | 125584 | |
| CVE-2021-43319 | Remote Code Execution (RCE) vulnerability in the Ping functionality. | High | 125457/ 125473 | |
| CVE-2021-41288 | SQL injection vulnerability noticed in the Reports module. | High | 125437/ 125455 and 125467 | |
| CVE-2021-40493 | SQL injection vulnerability noticed in support diagnostics module. | High | 125437/ 125453 | |
| CVE-2021-20078 | Folder deletion due to path traversal vulnerability in Remote Desktop feature | Critical | 125332/ 125347 | |
| CVE-2021-3287 | Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. | Critical | 125220/ 125314 | |
| CVE-2020-28653 | Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. | High | 125203/ 125218 | |
| CVE-2020-19554 | A reflected XSS vulnerability when the API key contained an XML-based XSS payload | Medium | 125177 | |
| CVE-2020-13818 | Directory Traversal validation was being bypassed when using <cachestart>. | High | 125144 | |
| CVE-2020-12116 | Path Traversal vulnerability | High | 124196/ 125125 | |
| CVE-2020-11946 | Unauthenticated access to API key disclosure from a servlet call | High | 124188/ 125120 | |
| CVE-2020-11527 | File read vulnerability in Arbitrary file | High | 124181 | |
| CVE-2020-10541 | Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs | High | 124172 | |
| CVE-2019-17421 | Incorrect file permissions on the packaged Nipper executable file | Medium | 124079 and 124099 | |
| CVE-2019-17602 | SQL injection vulnerability | High | 124078/ 124089 | |
| CVE-2019-15106 | User login bypass vulnerability in APM plugin | High | 124062/ 124070 | |
| CVE-2017-11560 | HTML Injection vulnerability | Medium | 124033 | |
| Internal | An operator user could access some restricted folders by bypassing the session. | High | 123241 | |
| CVE-2018-20339 | XSS vulnerability in 'Alarms' and 'Notes'. | High | 123239 | |
| CVE-2018-20338 | SQL Injection vulnerability in 'Alarms'. | High | 123239 | |
| CVE-2018-20173 | SQL Injection vulnerability in performance monitors' graph. | High | 123238 | |
| CVE-2018-19921 | XSS vulnerability in adding/updating domain controller. | High | 123237 | |
| CVE-2018-19403 | Unauthenticated Remote Code Execution (RCE) vulnerability. | High | 123231 | |
| CVE-2018-19288 | XSS vulnerability in updating 'Widgets API'. | High | 123223 | |
| CVE-2018-18949 | SQL Injection vulnerability in 'Mail Server' settings. | High | 123222 | |
| CVE-2018-18980 | XML external entity vulnerability in 'Business view' page. | High | 123214 | |
| CVE-2018-18475 | Unrestricted file upload vulnerability in uploading a background image in 'Business view'. | High | 123214 | |
| CVE-2018-18262 | XSS vulnerability in 'Add Custom Category'. | High | 123214 | |
| CVE-2018-12997, CVE-2018-12998 | Injecting arbitrary web script or HTML via the parameter 'operation'. | High | 123169 | |
| CVE-2018-9088, CVE-2018-9087, CVE-2018-9089 | SQL Injection vulnerability in 'FailOverHelperServlet'. | High | 123157 | |
| CVE-2018-10803 | XSS vulnerability (Cross-site-scripting) in 'Add credentials' page. | High | 123122 | |
| CVE-2017-12617 | Uploading JSP file to server via 'HTTP PUT' method | High | 123046 |