CVE-2026-1367

Zohocorp ManageEngine ADSelfService Plus versions 6522 and below contain an authenticated SQL injection vulnerability in the search report option. The issue arises when custom input provided by an authenticated technician is used to search reports; this input is incorporated into SQL queries sent from the Reports module to the database without adequate validation or sanitization [1]. This allows the injection of arbitrary SQL commands.

Exploitation requires an authenticated ADSelfService Plus technician account; end users cannot exploit this vulnerability. The technician must access the search report functionality and supply malicious input that is not properly sanitized, enabling the attacker to manipulate the SQL query sent to the backend database [1].

A successful attack enables the technician to execute arbitrary SQL commands through the Reports module. This can lead to unauthorized modifications to the ADSelfService Plus database, potentially compromising data integrity or exposing sensitive information [1].

This issue has been resolved in ADSelfService Plus build 6523, released on January 25, 2026. The fix ensures that all queries to the database are properly sanitized, preventing SQL injection. Users are advised to update their instances to build 6523 or later using the service pack [1].