Zoho Corp ZoHo

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Zoho Corp product.

RSS Feeds for Zoho Corp security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Zoho Corp products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Zoho Corp Sorted by Most Security Vulnerabilities since 2018

Zoho Corp Manageengine Adaudit Plus51 vulnerabilities

Zoho Corp Manageengine Admanager Plus47 vulnerabilities

Zoho Corp Manageengine Opmanager43 vulnerabilities

Zoho Corp Manageengine Servicedesk Plus42 vulnerabilities

Zoho Corp Manageengine Adselfservice Plus42 vulnerabilities

Zoho Corp Manageengine Applications Manager41 vulnerabilities

Zoho Corp Manageengine Supportcenter Plus27 vulnerabilities

Zoho Corp Manageengine Servicedesk Plus Msp26 vulnerabilities

Zoho Corp Manageengine Netflow Analyzer22 vulnerabilities

Zoho Corp Manageengine Password Manager Pro17 vulnerabilities

Zoho Corp Manageengine Exchange Reporter Plus17 vulnerabilities

Zoho Corp Manageengine Pam36014 vulnerabilities

Zoho Corp Manageengine Network Configuration Manager13 vulnerabilities

Zoho Corp Manageengine Access Manager Plus11 vulnerabilities

Zoho Corp Manageengine Firewall Analyzer8 vulnerabilities

Zoho Corp Manageengine Oputils8 vulnerabilities

Zoho Corp Manageengine Analytics Plus7 vulnerabilities

Zoho Corp Manageengine Opmanager Plus6 vulnerabilities

Zoho Corp Manageengine Opmanager Msp6 vulnerabilities

Zoho Corp Manageengine Sharepoint Manager Plus5 vulnerabilities

Zoho Corp Manageengine Application Control Plus4 vulnerabilities

Zoho Corp Endpoint Central3 vulnerabilities

Zoho Corp Manageengine Endpoint Central3 vulnerabilities

Zoho Corp Zoho Forms2 vulnerabilities

Zoho Corp Manageengine Remote Monitoring Management Central2 vulnerabilities

Zoho Corp Manageengine Ddi Central2 vulnerabilities

Zoho Corp Analytics Plus1 vulnerability

Zoho Corp Manageengine Supportcentre Plus1 vulnerability

By the Year

In 2026 there have been 4 vulnerabilities in Zoho Corp with an average score of 6.8 out of ten. Last year, in 2025 Zoho Corp had 31 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Zoho Corp in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.43.

Year	Vulnerabilities	Average Score
2026	4	6.83
2025	31	6.40
2024	53	8.10
2023	46	6.91
2022	55	7.52
2021	96	8.61
2020	40	7.71
2019	58	7.37
2018	48	7.63

It may take a day or so for new Zoho Corp vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Zoho Corp Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-9226	Jan 30, 2026	Zohocorp ManageEngine OpManager Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.	Manageengine Opmanager Manageengine Netflow Analyzer Manageengine Oputils
CVE-2025-11669	Jan 13, 2026	Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.	Manageengine Pam360 Manageengine Password Manager Pro Manageengine Access Manager Plus And others...
CVE-2025-11250	Jan 13, 2026	Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.	Manageengine Adselfservice Plus
CVE-2025-9435	Jan 13, 2026	Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module	Manageengine Admanager Plus
CVE-2025-9787	Dec 18, 2025	ManageEngine AppsMgr: NOC View Stored XSS (CVE20259787) Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.	Manageengine Applications Manager
CVE-2025-11670	Dec 15, 2025	NTLM Hash Exposure in ManageEngine ADManager Plus before v8025 Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the Impersonate as Admin option enabled.	Manageengine Admanager Plus
CVE-2025-9227	Nov 11, 2025	Stored XSS in SNMP Trap Processor of Zohocorp ManageEngine OpManager Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor.	Manageengine Opmanager
CVE-2025-9223	Nov 11, 2025	Zohocorp ManageEngine AppMgr Auth CMDI (CVE-2025-9223) Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.	Manageengine Applications Manager
CVE-2025-8324	Nov 11, 2025	CVE-2025-8324: Unauthed SQLi in Zoho ManageEngine Analytics Plus <=6170 Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.	Manageengine Analytics Plus
CVE-2025-7633	Nov 11, 2025	ManageEngine Exchange Reporter Plus Stored XSS via Custom Report Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Custom report.	Manageengine Exchange Reporter Plus
CVE-2025-7632	Nov 11, 2025	Zohocorp ManageEngine Exchange Reporter Plus Stored XSS in Public Folders Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Public Folders report.	Manageengine Exchange Reporter Plus
CVE-2025-7430	Nov 11, 2025	ManageEngine ERP XSS via Folder Message Count/Size Report Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Folder Message Count and Size report.	Manageengine Exchange Reporter Plus
CVE-2025-7429	Nov 11, 2025	Stored XSS in Exchange Reporter Plus Mails Deleted/Moved Report Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and below are vulnerable to the Stored XSS Vulnerability in the Mails Deleted or Moved report.	Manageengine Exchange Reporter Plus
CVE-2025-5347	Oct 30, 2025	Zoho ManageEngine Exchange Reporter Plus XSS in Reports Module (CVE-2025-5347) Zohocorp ManageEngine Exchange Reporter Plus versions before 5723 are vulnerable to Stored Cross Site Scripting in the reports module.	Manageengine Exchange Reporter Plus
CVE-2025-5343	Oct 30, 2025	Stored XSS in ManageEngine Exchange Reporter Plus Instant Search Zohocorp ManageEngine Exchange Reporter Plus versions through 5721 are vulnerable to Stored Cross Site Scripting in the Instant Search option.	Manageengine Exchange Reporter Plus
CVE-2025-5342	Oct 30, 2025	ManageEngine Exchange Reporter Plus ReDOS in Search Module Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.	Manageengine Exchange Reporter Plus
CVE-2025-11248	Oct 27, 2025	Sensitive Info Log: ZMEC <11.4.2528.05 Logs Agent Token (CVE-2025-11248) ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token.	Manageengine Endpoint Central
CVE-2025-6239	Oct 21, 2025	Zohocorp ManageEngine Applications Manager Info Disclosure via File/Dir Monitor Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.	Manageengine Applications Manager
CVE-2025-10020	Oct 21, 2025	Zohocorp ManageEngine ADManager Plus Authenticated Custom Script Command Injection Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.	Manageengine Admanager Plus
CVE-2025-9428	Oct 21, 2025	Auth SQLi in ManageEngine Analytics Plus keyupdate API (CVE20259428) Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.	Analytics Plus
CVE-2025-7473	Oct 21, 2025	XML Injection in Zohocorp ManageEngine EndPoint Central before 11.4.2516.1 Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.	Endpoint Central
CVE-2025-5496	Oct 21, 2025	ZohoCorp ME Central < 11.4.2518.01: Arbitrary File Deletion in Agent Setup ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component.	Endpoint Central
CVE-2025-5494	Sep 25, 2025	ZohoEndpointCentral IPR Privilege Issue <=11.4.2508.13 ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup. This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.	Endpoint Central
CVE-2025-27930	Jul 23, 2025	Stored XSS in File/Directory Monitor of Zohocorp ManageEngine AM Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.	Manageengine Applications Manager
CVE-2025-41444	Jun 09, 2025	ManageEngine ADAudit Plus SQLi in Alerts Module Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.	Manageengine Adaudit Plus
CVE-2025-3835	Jun 09, 2025	RCE in Content Search of ManageEngine Exchange Reporter Plus (v<=5721) Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.	Manageengine Exchange Reporter Plus
CVE-2025-27709	Jun 09, 2025	ManageEngine ADAudit Plus SQL Injection in SA Reports Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the Service Account Auditing reports.	Manageengine Adaudit Plus
CVE-2025-36528	Jun 09, 2025	Auth SQLi in ManageEngine ADAudit Plus Service Account Auditing Reports Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.	Manageengine Adaudit Plus
CVE-2025-36527	May 23, 2025	SQLi in ManageEngine ADAudit+ Export Reports <v8511 Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.	Manageengine Adaudit Plus
CVE-2025-41407	May 23, 2025	CVE-2025-41407: SQLi in ManageEngine ADAudit Plus OU History Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the OU History report.	Manageengine Adaudit Plus
CVE-2025-3444	May 22, 2025	ZOHOCORP ServiceDesk Plus LFI via Admin help card Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.	Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus
CVE-2025-3836	May 22, 2025	Auth SQLi in Logon Events Aggregate Report – ManageEngine ADAudit Plus Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.	Manageengine Adaudit Plus
CVE-2025-41403	May 22, 2025	ManageEngine ADAudit Plus Authn SQLi in Service Account Audit Fetch Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.	Manageengine Adaudit Plus
CVE-2025-3834	May 14, 2025	Zohocorp ManageEngine ADAudit Plus Authenticated SQLi in OU History Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report.	Manageengine Adaudit Plus
CVE-2024-50053	Mar 21, 2025	ZhoCorp MgrEng ServiceDesk Plus Stored XSS via Task Feature Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.	Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp Manageengine Supportcentre Plus And others...
CVE-2024-52323	Nov 27, 2024	ManageEngine Analytics Plus Authenticated Sensitive Data Exposure Vulnerability Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.	Manageengine Analytics Plus
CVE-2024-49574	Nov 18, 2024	Zohocorp ManageEngine ADAudit Plus SQLi in Reports Module (CVE-2024-49574) Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.	Manageengine Adaudit Plus
CVE-2024-10839	Nov 08, 2024	ManageEngine SharePoint XXE in Management v4503 - November 2024 Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.	Manageengine Sharepoint Manager Plus
CVE-2024-24409	Nov 08, 2024	ManageEngine ADManager Plus Privilege Escalation - November 2024 Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.	Manageengine Admanager Plus
CVE-2024-9459	Nov 05, 2024	SQL Injection in ManageEngine Exchange Reporter Plus Reports Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.	Manageengine Exchange Reporter Plus
CVE-2024-36485	Nov 04, 2024	SQL Injection Vulnerability in Zoho ManageEngine ADAudit Plus Technician Reports Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.	Manageengine Adaudit Plus
CVE-2024-48878	Nov 04, 2024	SQL Injection Vulnerability in Zoho ManageEngine ADManager Plus Archived Audit Report Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.	Manageengine Admanager Plus
CVE-2024-5608	Oct 24, 2024	Zohocorp ManageEngine ADAudit Plus SQLi via Technician Reports <8121 Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.	Manageengine Adaudit Plus
CVE-2024-38868	Aug 30, 2024	Endpoint Central (Zoho) Before 11.3.2406.08 Auth Fail Isolation Vulnerability Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15	Manageengine Endpoint Central
CVE-2024-6204	Aug 30, 2024	SQL Injection in Zohocorp ME Exchange Reporter Plus 5715 Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.	Manageengine Exchange Reporter Plus
CVE-2024-5546	Aug 28, 2024	ManageEngine PAM360 & Password Manager Pro Authenticated SQLi via Global Search Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.	Manageengine Pam360 Manageengine Password Manager Pro
CVE-2024-41150	Aug 23, 2024	ServiceDesk Plus XSS via request module (CVE-2024-41150) An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.	Manageengine Servicedesk Plus Msp Manageengine Servicedesk Plus Manageengine Supportcenter Plus And others...
CVE-2024-38869	Aug 23, 2024	Endpoint Central before 11.3.2416.04 - Incorrect Auth in Remote Deploy Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.	Manageengine Servicedesk Plus Msp Manageengine Servicedesk Plus Manageengine Supportcenter Plus And others...
CVE-2024-5467	Aug 23, 2024	Auth SQLi in Zoho's ManageEngine ADAudit Plus lockout report Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.	Manageengine Adaudit Plus
CVE-2024-36515	Aug 23, 2024	Zoho ADAudit Plus Authenticated SQLi via Dashboard (CVE-2024-36515) Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard.	Manageengine Adaudit Plus