Primary

Context

ManageEngine ADSelfService Plus Authenticated SQL Injection Vulnerability

Vulnerability

Patched

A high-severity authenticated SQL injection vulnerability has been identified in ManageEngine ADSelfService Plus versions 6522 and earlier. This vulnerability allows authenticated technicians to execute arbitrary SQL commands through the Reports module, potentially leading to unauthorized modifications of the ADSelfService Plus database. The issue arises from inadequate validation and sanitization of custom input in SQL queries sent from the Reports module to the database.

Impact

Exploitation of this vulnerability could allow authenticated ADSelfService Plus technicians to manipulate the database by executing arbitrary SQL commands, posing a risk of unauthorized data changes.

Remediation

Users can update to ManageEngine ADSelfService Plus version 6523 or later, using the available service pack.

Added: Feb 23, 2026, 8:17 AM

Updated: Feb 23, 2026, 8:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.1

exploitability

5.2

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.1

exploitability

5.2

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ManageEngine ADSelfService Plus Authenticated SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ManageEngine ADSelfService Plus

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating