Security Research

Real Engagements, Real CVEs

Found in the Field, Fixed at the Source

Raxis engineers find vulnerabilities for a living. Most of what we report to a client is about how their systems are built and configured. Sometimes the flaw is in the product itself. When that happens, we take it to the vendor, work through coordinated disclosure, and the issue is assigned a CVE identifier through MITRE.

This page lists the CVEs our team has discovered and disclosed. Twelve so far, across ManageEngine, PRTG Network Monitor, Nagios XI, and Rock RMS. Every one came out of real engagement work, not a lab exercise. Full technical writeups are on The Exploit blog.

Discovered CVEs

CVE / NVD	Product Details	Description (Raxis Pentester)
CVE-2026-36748 – NVD	Rock RMS XSS → privilege escalation to admin	Stored XSS in Rock RMS that lets a standard user escalate to administrator when an admin views the malicious user’s profile page (Jason Taylor)
CVE-2022-35739 – NVD	PRTG Network Monitor CSS injection	CSS injection in PRTG Network Monitor via a device’s icon/properties field rendered unescaped inside a style tag (Matt Mathur)
CVE-2022-26777 – NVD	ManageEngine Remote Access Plus — Guest IDOR (license details)	IDOR in ManageEngine Remote Access Plus — a Guest user can retrieve license details via the `/dcapi/` endpoint (Matt Dunn)
CVE-2022-26653 – NVD	ManageEngine Remote Access Plus — Guest IDOR (domain details)	IDOR in ManageEngine Remote Access Plus — a Guest user can retrieve connected domain/controller details (Matt Dunn)
CVE-2022-25373 – NVD	ManageEngine Support Center Plus stored XSS	Stored XSS in ManageEngine Support Center Plus (Matt Dunn)
CVE-2022-25245 – NVD	ManageEngine Asset Explorer information leakage	Information leakage in ManageEngine Asset Explorer (Matt Dunn)
CVE-2022-24681 – NVD	ManageEngine ADSelfService Plus stored XSS (auth screens)	Stored XSS in ManageEngine AD Self Service Plus (Matt Dunn)
CVE-2021-38156 – NVD	Nagios XI stored XSS (dashboard edit)	Stored XSS in Nagios XI (Matt Dunn)
CVE-2021-31813 – NVD	ManageEngine Applications Manager stored XSS (AD-imported names)	Stored XSS in ManageEngine Applications Manager, via name fields imported from Active Directory (Matt Dunn)
CVE-2021-29643 – NVD	PRTG Network Monitor stored XSS	Stored XSS in PRTG Network Monitor (Matt Dunn)
CVE-2021-28382 – NVD	ManageEngine Key Manager Plus stored XSS (AD-imported fields)	Stored XSS in ManageEngine Key Manager Plus, via user detail fields imported from Active Directory (Matt Dunn)
CVE-2021-27956 – NVD	ManageEngine ADSelfService Plus stored XSS (directory-search email field)	Stored XSS in ManageEngine AD Self Service Plus, in the email field of directory search results (Matt Dunn)

Vendor Acknowledgments

We report what we find to the vendor before we publish anything. We coordinate timing, confirm the fix is in place, and only then release a technical writeup so other teams can understand the issue and defend against it. Closing the hole comes first. The writeup comes second.

Vendor	Recognition	Research
Google	Bug Hunters honorable mention	Bypassing a CSP and WAF with Google Tag Manager. Anyone can host JavaScript on googletagmanager.com, so an unsafe CSP exemption for Google Tag Manager turns into a usable attack vector.

How We Handle Disclosure

Put The Raxis Team on Your Environment

The engineers who find these flaws in shipping products are the same ones who test your systems. See how we test, or talk to our team.