Direct Inward Dialing: +1 408 916 9393
| Vulnerability Details | |
| Severity | High |
| ZVE ID | ZVE-2026-1981 |
| Affected software versions | Build 8041 and older |
| Fixed version | Build 8042 |
| Fixed on | April 21, 2026 |
ZVE-2026-1981 refers to an authenticated command injection vulnerability in the /api/json/admin/testCustomScript endpoint of ADManager Plus. Improper handling of user-supplied input in custom function testing allowed users to inject and execute arbitrary system commands on the server.
Users with Custom Functions privileges could exploit this issue by manipulating the ARGUMENTS parameter. Additionally, the functionality was accessible to lower-privileged roles (such as HR Associate), increasing the attack surface. This issue has been fixed in build 8042.
This vulnerability could allow an authenticated adversary to:
This issue has been resolved in ADManager Plus build 8042 by implementing strict input validation and sanitization of user-supplied parameters in the custom function testing endpoint, along with enforcing proper access controls to prevent execution of unauthorized system commands.
Update your ADManager Plus instance to the latest build by installing the service pack.
This vulnerability was reported by khanh nguyen via Zoho's Bug Bounty program.
Select a language to translate the contents of this web page:
Fill this form, and we'll contact you rightaway.
Our technical support team will get in touch with you at the earliest."
