Vendor CVEs
Manageengine
All CVEs
296 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-4891 | 0.03 | — | 0.04 | Sep 10, 2012 | Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this information is unknown; the… | |||
| CVE-2012-2585 | 0.03 | — | 0.01 | Aug 12, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS… | |||
| CVE-2012-1049 | 0.03 | — | 0.02 | Feb 13, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ADManager Plus 5.2 Build 5210 allow remote attackers to inject arbitrary web script or HTML via the (1) domainName parameter to jsp/AddDC.jsp or (2) operation parameter to DomainConfig.do. | |||
| CVE-2010-1044 | 0.03 | — | 0.01 | Mar 23, 2010 | SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter. | |||
| CVE-2008-0474 | 0.03 | — | 0.01 | Jan 29, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4)… | |||
| CVE-2007-3593 | 0.03 | — | 0.04 | Jul 6, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine NetFlow Analyzer 5 allow remote attackers to inject arbitrary web script or HTML via the (1) alpha parameter in (a) netflow/jspui/applicationList.jsp, the (2) task parameter in (b) netflow/jspui/appConfig.jsp,… | |||
| CVE-2007-3594 | 0.03 | — | 0.06 | Jul 6, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4)… | |||
| CVE-2005-3522 | 0.03 | — | 0.02 | Nov 6, 2005 | Cross-site scripting (XSS) vulnerability in index.jsp in ManageEngine Netflow Analyzer 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the grDisp parameter. | |||
| CVE-2024-0252 | 0.02 | — | 0.08 | Jan 11, 2024 | ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability. | |||
| CVE-2022-43473 | 0.02 | — | 0.20 | Mar 30, 2023 | A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. | |||
| CVE-2022-36923 | 0.02 | — | 0.08 | Aug 10, 2022 | Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and… | |||
| CVE-2022-23050 | 0.02 | — | 0.05 | May 24, 2022 | ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality. | |||
| CVE-2022-29535 | 0.02 | — | 0.93 | May 5, 2022 | Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. | |||
| CVE-2022-24681 | 0.02 | — | 0.04 | Apr 7, 2022 | Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | |||
| CVE-2020-24743 | 0.02 | — | 0.03 | Nov 3, 2021 | An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter. | |||
| CVE-2021-37922 | 0.02 | — | 0.02 | Oct 7, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another. | |||
| CVE-2021-28959 | 0.02 | — | 0.17 | Apr 30, 2021 | Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution. | |||
| CVE-2020-10816 | 0.02 | — | 0.05 | Oct 8, 2020 | Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet. | |||
| CVE-2019-12196 | 0.02 | — | 0.69 | Jun 5, 2019 | A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter. | |||
| CVE-2018-18980 | 0.02 | — | 0.25 | Nov 6, 2018 | An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local… | |||
| CVE-2014-9371 | 0.02 | — | 0.19 | Dec 16, 2014 | The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. | |||
| CVE-2025-5966 | 0.01 | — | 0.01 | Jun 26, 2025 | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report. | |||
| CVE-2025-5366 | 0.01 | — | 0.01 | Jun 26, 2025 | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report. | |||
| CVE-2025-36527 | 0.01 | — | 0.20 | May 23, 2025 | Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports. | |||
| CVE-2024-5471 | 0.01 | — | 0.02 | Jul 17, 2024 | Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. | |||
| CVE-2023-48792 | 0.01 | — | 0.07 | Feb 2, 2024 | Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option. | |||
| CVE-2023-26601 | 0.01 | — | 0.34 | Mar 6, 2023 | Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). | |||
| CVE-2022-28987 | 0.01 | — | 0.10 | May 20, 2022 | Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | |||
| CVE-2021-20147 | 0.01 | — | 0.07 | Jan 3, 2022 | ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | |||
| CVE-2021-37419 | 0.01 | — | 0.02 | Sep 21, 2021 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | |||
| CVE-2021-37424 | 0.01 | — | 0.05 | Sep 21, 2021 | ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover. | |||
| CVE-2021-37421 | 0.01 | — | 0.02 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | |||
| CVE-2021-33256 | 0.01 | — | 0.79 | Aug 9, 2021 | A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User… | |||
| CVE-2021-20080 | 0.01 | — | 0.93 | Apr 9, 2021 | Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. | |||
| CVE-2020-24786 | 0.01 | — | 0.13 | Aug 31, 2020 | An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer… | |||
| CVE-2020-11527 | 0.01 | — | 0.09 | Apr 4, 2020 | In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | |||
| CVE-2020-8509 | 0.01 | — | 0.10 | Mar 30, 2020 | Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. | |||
| CVE-2017-11559 | 0.01 | — | 0.04 | May 23, 2019 | An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. | |||
| CVE-2019-11678 | 0.01 | — | 0.09 | May 2, 2019 | The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection. | |||
| CVE-2018-20173 | 0.01 | — | 0.24 | Dec 17, 2018 | Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. | |||
| CVE-2018-19118 | 0.01 | — | 0.07 | Dec 13, 2018 | Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain. | |||
| CVE-2018-18949 | 0.01 | — | 0.24 | Nov 5, 2018 | Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings. | |||
| CVE-2014-9373 | 0.01 | — | 0.06 | Dec 16, 2014 | Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename. | |||
| CVE-2026-11374 | 0.00 | — | 0.01 | Jun 23, 2026 | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover. | |||
| CVE-2025-12381 | 0.00 | — | 0.00 | Dec 9, 2025 | Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the… | |||
| CVE-2025-12382 | 0.00 | — | 0.00 | Nov 12, 2025 | Improper Limitation of a Pathname 'Path Traversal') vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection. This issue affects Algosec Firewall Analyzer: A33.0 (up to build… | |||
| CVE-2025-5343 | 0.00 | — | 0.00 | Oct 30, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | |||
| CVE-2025-27930 | 0.00 | — | 0.00 | Jul 23, 2025 | Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor. | |||
| CVE-2025-41444 | 0.00 | — | 0.01 | Jun 9, 2025 | Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module. | |||
| CVE-2025-36528 | 0.00 | — | 0.01 | Jun 9, 2025 | Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports. |
- CVE-2012-4891Sep 10, 2012risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this information is unknown; the…
- CVE-2012-2585Aug 12, 2012risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS…
- CVE-2012-1049Feb 13, 2012risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ADManager Plus 5.2 Build 5210 allow remote attackers to inject arbitrary web script or HTML via the (1) domainName parameter to jsp/AddDC.jsp or (2) operation parameter to DomainConfig.do.
- CVE-2010-1044Mar 23, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter.
- CVE-2008-0474Jan 29, 2008risk 0.03cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4)…
- CVE-2007-3593Jul 6, 2007risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine NetFlow Analyzer 5 allow remote attackers to inject arbitrary web script or HTML via the (1) alpha parameter in (a) netflow/jspui/applicationList.jsp, the (2) task parameter in (b) netflow/jspui/appConfig.jsp,…
- CVE-2007-3594Jul 6, 2007risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4)…
- CVE-2005-3522Nov 6, 2005risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.jsp in ManageEngine Netflow Analyzer 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the grDisp parameter.
- CVE-2024-0252Jan 11, 2024risk 0.02cvss —epss 0.08
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
- CVE-2022-43473Mar 30, 2023risk 0.02cvss —epss 0.20
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
- CVE-2022-36923Aug 10, 2022risk 0.02cvss —epss 0.08
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and…
- CVE-2022-23050May 24, 2022risk 0.02cvss —epss 0.05
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
- CVE-2022-29535May 5, 2022risk 0.02cvss —epss 0.93
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
- CVE-2022-24681Apr 7, 2022risk 0.02cvss —epss 0.04
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
- CVE-2020-24743Nov 3, 2021risk 0.02cvss —epss 0.03
An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.
- CVE-2021-37922Oct 7, 2021risk 0.02cvss —epss 0.02
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another.
- CVE-2021-28959Apr 30, 2021risk 0.02cvss —epss 0.17
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
- CVE-2020-10816Oct 8, 2020risk 0.02cvss —epss 0.05
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
- CVE-2019-12196Jun 5, 2019risk 0.02cvss —epss 0.69
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
- CVE-2018-18980Nov 6, 2018risk 0.02cvss —epss 0.25
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local…
- CVE-2014-9371Dec 16, 2014risk 0.02cvss —epss 0.19
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
- CVE-2025-5966Jun 26, 2025risk 0.01cvss —epss 0.01
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.
- CVE-2025-5366Jun 26, 2025risk 0.01cvss —epss 0.01
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.
- CVE-2025-36527May 23, 2025risk 0.01cvss —epss 0.20
Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.
- CVE-2024-5471Jul 17, 2024risk 0.01cvss —epss 0.02
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
- CVE-2023-48792Feb 2, 2024risk 0.01cvss —epss 0.07
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
- CVE-2023-26601Mar 6, 2023risk 0.01cvss —epss 0.34
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
- CVE-2022-28987May 20, 2022risk 0.01cvss —epss 0.10
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
- CVE-2021-20147Jan 3, 2022risk 0.01cvss —epss 0.07
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
- CVE-2021-37419Sep 21, 2021risk 0.01cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.
- CVE-2021-37424Sep 21, 2021risk 0.01cvss —epss 0.05
ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover.
- CVE-2021-37421Aug 30, 2021risk 0.01cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
- CVE-2021-33256Aug 9, 2021risk 0.01cvss —epss 0.79
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User…
- CVE-2021-20080Apr 9, 2021risk 0.01cvss —epss 0.93
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
- CVE-2020-24786Aug 31, 2020risk 0.01cvss —epss 0.13
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer…
- CVE-2020-11527Apr 4, 2020risk 0.01cvss —epss 0.09
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
- CVE-2020-8509Mar 30, 2020risk 0.01cvss —epss 0.10
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
- CVE-2017-11559May 23, 2019risk 0.01cvss —epss 0.04
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
- CVE-2019-11678May 2, 2019risk 0.01cvss —epss 0.09
The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.
- CVE-2018-20173Dec 17, 2018risk 0.01cvss —epss 0.24
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
- CVE-2018-19118Dec 13, 2018risk 0.01cvss —epss 0.07
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
- CVE-2018-18949Nov 5, 2018risk 0.01cvss —epss 0.24
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
- CVE-2014-9373Dec 16, 2014risk 0.01cvss —epss 0.06
Directory traversal vulnerability in the CollectorConfInfoServlet servlet in ManageEngine NetFlow Analyzer allows remote attackers to execute arbitrary code via a .. (dot dot) in the filename.
- CVE-2026-11374Jun 23, 2026risk 0.00cvss —epss 0.01
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
- CVE-2025-12381Dec 9, 2025risk 0.00cvss —epss 0.00
Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the…
- CVE-2025-12382Nov 12, 2025risk 0.00cvss —epss 0.00
Improper Limitation of a Pathname 'Path Traversal') vulnerability in Algosec Firewall Analyzer on Linux, 64 bit allows an authenticated user to upload files to a restricted directory leading to code injection. This issue affects Algosec Firewall Analyzer: A33.0 (up to build…
- CVE-2025-5343Oct 30, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.
- CVE-2025-27930Jul 23, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.
- CVE-2025-41444Jun 9, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.
- CVE-2025-36528Jun 9, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.
Page 3 of 6