Vendor CVEs
Zohocorp
All CVEs
265 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-20484 | 0.03 | — | 0.05 | Dec 26, 2018 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | |||
| CVE-2015-5150 | 0.03 | — | 0.04 | Jun 30, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct… | |||
| CVE-2015-1479 | 0.03 | — | 0.04 | Feb 4, 2015 | SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter. | |||
| CVE-2014-9331 | 0.03 | — | 0.05 | Feb 4, 2015 | Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to… | |||
| CVE-2014-7867 | 0.03 | — | 0.40 | Dec 4, 2014 | SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL… | |||
| CVE-2014-6037 | 0.03 | — | 0.84 | Oct 26, 2014 | Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its… | |||
| CVE-2011-5105 | 0.03 | — | 0.06 | Aug 23, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than… | |||
| CVE-2010-3272 | 0.03 | — | 0.04 | Feb 17, 2011 | accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)… | |||
| CVE-2024-5466 | 0.02 | — | 0.07 | Aug 23, 2024 | Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. | |||
| CVE-2023-23073 | 0.02 | — | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. | |||
| CVE-2023-23077 | 0.02 | — | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. | |||
| CVE-2023-23078 | 0.02 | — | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. | |||
| CVE-2020-14048 | 0.02 | — | 0.05 | Jun 12, 2020 | Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | |||
| CVE-2019-19034 | 0.02 | — | 0.06 | Mar 23, 2020 | Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT… | |||
| CVE-2014-9371 | 0.02 | — | 0.19 | Dec 16, 2014 | The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object. | |||
| CVE-2025-5966 | 0.01 | — | 0.01 | Jun 26, 2025 | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report. | |||
| CVE-2025-5366 | 0.01 | — | 0.01 | Jun 26, 2025 | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report. | |||
| CVE-2025-36527 | 0.01 | — | 0.20 | May 23, 2025 | Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports. | |||
| CVE-2024-5471 | 0.01 | — | 0.02 | Jul 17, 2024 | Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. | |||
| CVE-2023-28340 | 0.01 | — | 0.03 | Apr 11, 2023 | Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | |||
| CVE-2022-25373 | 0.01 | — | 0.01 | Apr 5, 2022 | Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. | |||
| CVE-2021-43296 | 0.01 | — | 0.03 | Nov 30, 2021 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. | |||
| CVE-2021-31160 | 0.01 | — | 0.04 | Jun 29, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. | |||
| CVE-2021-20080 | 0.01 | — | 0.93 | Apr 9, 2021 | Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. | |||
| CVE-2018-5353 | 0.01 | — | 0.08 | Sep 29, 2020 | The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable… | |||
| CVE-2019-19799 | 0.01 | — | 0.06 | Mar 13, 2020 | Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. | |||
| CVE-2019-19800 | 0.01 | — | 0.04 | Feb 6, 2020 | Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet. | |||
| CVE-2019-7162 | 0.01 | — | 0.04 | Dec 31, 2019 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. | |||
| CVE-2019-19650 | 0.01 | — | 0.06 | Dec 11, 2019 | Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | |||
| CVE-2019-11678 | 0.01 | — | 0.09 | May 2, 2019 | The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection. | |||
| CVE-2019-8395 | 0.01 | — | 0.07 | Feb 17, 2019 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | |||
| CVE-2025-11669 | 0.00 | — | 0.01 | Jan 13, 2026 | Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | |||
| CVE-2025-11250 | 0.00 | — | 0.01 | Jan 13, 2026 | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | |||
| CVE-2025-9435 | 0.00 | — | 0.01 | Jan 13, 2026 | Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | |||
| CVE-2025-9787 | 0.00 | — | 0.01 | Dec 18, 2025 | Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view. | |||
| CVE-2025-11670 | 0.00 | — | 0.00 | Dec 15, 2025 | Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled. | |||
| CVE-2025-7633 | 0.00 | — | 0.00 | Nov 11, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report. | |||
| CVE-2025-7632 | 0.00 | — | 0.00 | Nov 11, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report. | |||
| CVE-2025-7430 | 0.00 | — | 0.00 | Nov 11, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report. | |||
| CVE-2025-7429 | 0.00 | — | 0.00 | Nov 11, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report. | |||
| CVE-2025-5347 | 0.00 | — | 0.00 | Oct 30, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module. | |||
| CVE-2025-5343 | 0.00 | — | 0.00 | Oct 30, 2025 | Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option. | |||
| CVE-2025-5342 | 0.00 | — | 0.01 | Oct 30, 2025 | Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module. | |||
| CVE-2025-11248 | 0.00 | — | 0.00 | Oct 27, 2025 | ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token. | |||
| CVE-2025-6239 | 0.00 | — | 0.01 | Oct 21, 2025 | Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor. | |||
| CVE-2025-10020 | 0.00 | — | 0.05 | Oct 21, 2025 | Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component. | |||
| CVE-2025-9428 | 0.00 | — | 0.25 | Oct 21, 2025 | Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api. | |||
| CVE-2025-7473 | 0.00 | — | 0.00 | Oct 21, 2025 | Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection. | |||
| CVE-2025-5496 | 0.00 | — | 0.00 | Oct 21, 2025 | ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component. | |||
| CVE-2025-5494 | 0.00 | — | 0.00 | Sep 25, 2025 | ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13. |
- CVE-2018-20484Dec 26, 2018risk 0.03cvss —epss 0.05
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
- CVE-2015-5150Jun 30, 2015risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct…
- CVE-2015-1479Feb 4, 2015risk 0.03cvss —epss 0.04
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
- CVE-2014-9331Feb 4, 2015risk 0.03cvss —epss 0.05
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to…
- CVE-2014-7867Dec 4, 2014risk 0.03cvss —epss 0.40
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL…
- CVE-2014-6037Oct 26, 2014risk 0.03cvss —epss 0.84
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its…
- CVE-2011-5105Aug 23, 2012risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than…
- CVE-2010-3272Feb 17, 2011risk 0.03cvss —epss 0.04
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…
- CVE-2024-5466Aug 23, 2024risk 0.02cvss —epss 0.07
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
- CVE-2023-23073Feb 1, 2023risk 0.02cvss —epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
- CVE-2023-23077Feb 1, 2023risk 0.02cvss —epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
- CVE-2023-23078Feb 1, 2023risk 0.02cvss —epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
- CVE-2020-14048Jun 12, 2020risk 0.02cvss —epss 0.05
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
- CVE-2019-19034Mar 23, 2020risk 0.02cvss —epss 0.06
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT…
- CVE-2014-9371Dec 16, 2014risk 0.02cvss —epss 0.19
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
- CVE-2025-5966Jun 26, 2025risk 0.01cvss —epss 0.01
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.
- CVE-2025-5366Jun 26, 2025risk 0.01cvss —epss 0.01
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.
- CVE-2025-36527May 23, 2025risk 0.01cvss —epss 0.20
Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.
- CVE-2024-5471Jul 17, 2024risk 0.01cvss —epss 0.02
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
- CVE-2023-28340Apr 11, 2023risk 0.01cvss —epss 0.03
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
- CVE-2022-25373Apr 5, 2022risk 0.01cvss —epss 0.01
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.
- CVE-2021-43296Nov 30, 2021risk 0.01cvss —epss 0.03
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.
- CVE-2021-31160Jun 29, 2021risk 0.01cvss —epss 0.04
Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
- CVE-2021-20080Apr 9, 2021risk 0.01cvss —epss 0.93
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
- CVE-2018-5353Sep 29, 2020risk 0.01cvss —epss 0.08
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable…
- CVE-2019-19799Mar 13, 2020risk 0.01cvss —epss 0.06
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
- CVE-2019-19800Feb 6, 2020risk 0.01cvss —epss 0.04
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
- CVE-2019-7162Dec 31, 2019risk 0.01cvss —epss 0.04
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
- CVE-2019-19650Dec 11, 2019risk 0.01cvss —epss 0.06
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
- CVE-2019-11678May 2, 2019risk 0.01cvss —epss 0.09
The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.
- CVE-2019-8395Feb 17, 2019risk 0.01cvss —epss 0.07
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
- CVE-2025-11669Jan 13, 2026risk 0.00cvss —epss 0.01
Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.
- CVE-2025-11250Jan 13, 2026risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
- CVE-2025-9435Jan 13, 2026risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module
- CVE-2025-9787Dec 18, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.
- CVE-2025-11670Dec 15, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled.
- CVE-2025-7633Nov 11, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.
- CVE-2025-7632Nov 11, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.
- CVE-2025-7430Nov 11, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.
- CVE-2025-7429Nov 11, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.
- CVE-2025-5347Oct 30, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.
- CVE-2025-5343Oct 30, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.
- CVE-2025-5342Oct 30, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.
- CVE-2025-11248Oct 27, 2025risk 0.00cvss —epss 0.00
ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token.
- CVE-2025-6239Oct 21, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.
- CVE-2025-10020Oct 21, 2025risk 0.00cvss —epss 0.05
Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.
- CVE-2025-9428Oct 21, 2025risk 0.00cvss —epss 0.25
Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.
- CVE-2025-7473Oct 21, 2025risk 0.00cvss —epss 0.00
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.
- CVE-2025-5496Oct 21, 2025risk 0.00cvss —epss 0.00
ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.
- CVE-2025-5494Sep 25, 2025risk 0.00cvss —epss 0.00
ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.
Page 3 of 6