Zoho Zoho

  1. Vendors
  2. Zoho

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Zoho product.

RSS Feeds for Zoho security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Zoho products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Zoho Sorted by Most Security Vulnerabilities since 2018

Zoho Salesiq4 vulnerabilities

Zoho Campaigns2 vulnerabilities

Zoho Lead Magnet1 vulnerability

Zoho Manageengine Remote Monitoring Management1 vulnerability

Zoho Marketing Automation1 vulnerability

Known Exploited Zoho Vulnerabilities

The following Zoho vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
CVE-2022-28810 Exploit Probability: 91.4% 		March 7, 2023
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.
CVE-2022-47966 Exploit Probability: 94.4% 		January 23, 2023
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution.
CVE-2022-35405 Exploit Probability: 94.4% 		September 22, 2022
Zoho Desktop Central Authentication Bypass Vulnerability Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.
CVE-2021-44515 Exploit Probability: 94.3% 		December 10, 2021
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
CVE-2021-37415 Exploit Probability: 87.4% 		December 1, 2021
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution
CVE-2021-44077 Exploit Probability: 94.3% 		December 1, 2021
Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass Zoho ManageEngine ADSelfService Plus versions 6113 and earlier contain an authentication bypass vulnerability which allows for Remote Code Execution.
CVE-2021-40539 Exploit Probability: 94.4% 		November 3, 2021
Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CVE-2020-10189 Exploit Probability: 94.2% 		November 3, 2021
Zoho ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8394 Exploit Probability: 87.3% 		November 3, 2021

Of the known exploited vulnerabilities above, 9 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 0 vulnerabilities in Zoho. Last year, in 2024 Zoho had 4 security vulnerabilities published. Right now, Zoho is on track to have less security vulnerabilities in 2025 than it did last year.

Year Vulnerabilities Average Score
2025 0 0.00
2024 4 8.80
2023 0 0.00
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 5 7.04

It may take a day or so for new Zoho vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Zoho Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-5466 Aug 23, 2024
ManageEngine OpManager RCE via Deploy Agent (CVE-2024-5466) Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
Manageengine Remote Monitoring Management
CVE-2024-37225 Jul 09, 2024
SQL Injection in Zoho Marketing Automation v1.2.7 and older Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Marketing Automation.This issue affects Zoho Marketing Automation: from n/a through 1.2.7.
Marketing Automation
CVE-2024-32442 Apr 15, 2024
CSRF in Zoho Campaigns before 2.0.7 Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7.
Zoho Campaigns
CVE-2024-32441 Apr 15, 2024
Zoho Campaigns CSRF before 2.0.7 (CVE-2024-32441) Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7.
Zoho Campaigns
CVE-2019-19306 Nov 26, 2019
The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.
Lead Magnet
CVE-2019-15644 Aug 27, 2019
The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS. The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS.
Salesiq
CVE-2019-15645 Aug 27, 2019
The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF. The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.
Salesiq
CVE-2019-5962 Jul 05, 2019
Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Salesiq
CVE-2019-5963 Jul 05, 2019
Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Salesiq
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.