Free Edition| Vulnerability Details | |
| Severity | High |
| CVE ID | CVE-2026-28756 |
| Affected software versions | Builds 5801 and below |
| Fixed version | 5802 |
| Fixed on | March 19, 2026 |
CVE-2026-28756 describes a stored XSS vulnerability in the Permissions based on Distribution Groups report within the Reports module.
This vulnerability could allow an authenticated attacker with Exchange administrative privileges within the Exchange organization to inject and execute malicious scripts. Successful exploitation may enable the attacker to perform actions within Exchange Reporter Plus based on the privileges of the victim who accesses the affected report.
This issue has been resolved in Exchange Reporter Plus version 5802 by implementing proper input validation.
Update your Exchange Reporter Plus instance to build 5802 or later using the service pack.
This vulnerability was reported by C311 through the Zoho BugBounty program.
If you have any questions or need assistance updating the product to the latest version, please contact product support or our security team.
