ManageEngine ADSelfService Plus search function can be exploited by attackers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.3

ManageEngine ADSelfService Plus search function can be exploited by attackers

CVE-2026-1367

Summary

ManageEngine ADSelfService Plus versions 6522 and below allow attackers to inject malicious SQL code, potentially leading to unauthorized data access or system compromise. This vulnerability only affects users who have authenticated access to the system. To mitigate the risk, update to a patched version of ADSelfService Plus or apply a temporary fix provided by the vendor.

Original title

Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.

Original description

Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.

nvd CVSS3.1 8.3

Vulnerability type

CWE-89 SQL Injection

https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026...

Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026