Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
40 vulnerabilities by intermesh
CVE-2026-45551 (GCVE-0-2026-45551)
Vulnerability from nvd – Published: 2026-05-29 12:34 – Updated: 2026-05-29 13:16
VLAI
Title
Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator's email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator's browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 26.0.1, < 26.0.25
Affected: >= 25.0.1, < 25.0.1005 Affected: < 6.8.165 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T13:16:28.023941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T13:16:31.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0.1, \u003c 26.0.25"
},
{
"status": "affected",
"version": "\u003e= 25.0.1, \u003c 25.0.1005"
},
{
"status": "affected",
"version": "\u003c 6.8.165"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator\u0027s email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator\u0027s browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T12:34:22.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p"
}
],
"source": {
"advisory": "GHSA-9w92-p32g-g99p",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45551",
"datePublished": "2026-05-29T12:34:22.615Z",
"dateReserved": "2026-05-12T17:48:47.880Z",
"dateUpdated": "2026-05-29T13:16:31.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34838 (GCVE-0-2026-34838)
Vulnerability from nvd – Published: 2026-04-02 19:15 – Updated: 2026-04-03 12:55
VLAI
Title
Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.156
Affected: < 25.0.90 Affected: < 26.0.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T12:55:40.674883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T12:55:48.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.156"
},
{
"status": "affected",
"version": "\u003c 25.0.90"
},
{
"status": "affected",
"version": "\u003c 26.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:15:40.591Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"
}
],
"source": {
"advisory": "GHSA-h22j-frrf-5vxq",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34838",
"datePublished": "2026-04-02T19:15:40.591Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T12:55:48.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33755 (GCVE-0-2026-33755)
Vulnerability from nvd – Published: 2026-03-27 14:08 – Updated: 2026-03-27 17:23
VLAI
Title
Authenticated SQL Injection in Contact/query addressBookIds filter
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.158
Affected: < 25.0.92 Affected: < 26.0.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T17:23:14.328861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T17:23:30.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.158"
},
{
"status": "affected",
"version": "\u003c 25.0.92"
},
{
"status": "affected",
"version": "\u003c 26.0.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database \u2014 including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:08:38.685Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc"
}
],
"source": {
"advisory": "GHSA-3gc4-5993-c2qc",
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL Injection in Contact/query addressBookIds filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33755",
"datePublished": "2026-03-27T14:08:38.685Z",
"dateReserved": "2026-03-23T18:30:14.125Z",
"dateUpdated": "2026-03-27T17:23:30.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30238 (GCVE-0-2026-30238)
Vulnerability from nvd – Published: 2026-03-06 21:14 – Updated: 2026-03-09 20:54
VLAI
Title
Group-Office: Reflected XSS in JavaScript context
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.155
Affected: < 25.0.88 Affected: < 26.0.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30238",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:44:43.774910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:28.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.155"
},
{
"status": "affected",
"version": "\u003c 25.0.88"
},
{
"status": "affected",
"version": "\u003c 26.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing \u003c/script\u003e\u003cscript\u003e...\u003c/script\u003e injection and arbitrary JavaScript execution in the victim\u0027s browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:14:03.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v"
}
],
"source": {
"advisory": "GHSA-7p2f-c33m-rv5v",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Reflected XSS in JavaScript context"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30238",
"datePublished": "2026-03-06T21:14:03.149Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:28.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30237 (GCVE-0-2026-30237)
Vulnerability from nvd – Published: 2026-03-06 21:13 – Updated: 2026-03-09 20:54
VLAI
Title
Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.155
Affected: < 25.0.88 Affected: < 26.0.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30237",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:45:05.972907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:28.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.155"
},
{
"status": "affected",
"version": "\u003c 25.0.88"
},
{
"status": "affected",
"version": "\u003c 26.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a \u003ctextarea\u003e, allowing a \u003c/textarea\u003e\u003cscript\u003e...\u003c/script\u003e breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:13:33.925Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx"
}
],
"source": {
"advisory": "GHSA-hchr-32xh-x5rx",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30237",
"datePublished": "2026-03-06T21:13:33.925Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:28.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27947 (GCVE-0-2026-27947)
Vulnerability from nvd – Published: 2026-02-27 19:52 – Updated: 2026-03-03 20:24
VLAI
Title
Group-Office Vulnerable to Remote Code Execution (RCE)
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 26.0.0, < 26.0.9
Affected: >= 25.0.0, < 25.0.87 Affected: < 6.8.154 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:24:24.671913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:24:32.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.9"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.87"
},
{
"status": "affected",
"version": "\u003c 6.8.154"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:52:41.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x"
}
],
"source": {
"advisory": "GHSA-2rwh-9qp7-f92x",
"discovery": "UNKNOWN"
},
"title": "Group-Office Vulnerable to Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27947",
"datePublished": "2026-02-27T19:52:41.592Z",
"dateReserved": "2026-02-25T03:11:36.690Z",
"dateUpdated": "2026-03-03T20:24:32.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27832 (GCVE-0-2026-27832)
Vulnerability from nvd – Published: 2026-02-27 19:49 – Updated: 2026-03-02 12:56
VLAI
Title
Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.153
Affected: >= 25.0.0, < 25.0.87 Affected: >= 26.0.0, < 26.0.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T12:56:25.529218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T12:56:47.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.153"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.87"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:49:57.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vfgv-8w8v-qpxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vfgv-8w8v-qpxr"
}
],
"source": {
"advisory": "GHSA-vfgv-8w8v-qpxr",
"discovery": "UNKNOWN"
},
"title": "Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27832",
"datePublished": "2026-02-27T19:49:57.867Z",
"dateReserved": "2026-02-24T02:32:39.800Z",
"dateUpdated": "2026-03-02T12:56:47.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25511 (GCVE-0-2026-25511)
Vulnerability from nvd – Published: 2026-02-04 20:40 – Updated: 2026-02-05 21:02
VLAI
Title
Group-Office is vulnerable to SSRF and File Read in WOPI service discovery
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: < 25.0.82 Affected: < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25511",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T21:02:18.815073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T21:02:22.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built\u2011in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:40:04.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3"
}
],
"source": {
"advisory": "GHSA-r9v4-jm2r-r9pm",
"discovery": "UNKNOWN"
},
"title": "Group-Office is vulnerable to SSRF and File Read in WOPI service discovery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25511",
"datePublished": "2026-02-04T20:40:04.317Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-05T21:02:22.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25512 (GCVE-0-2026-25512)
Vulnerability from nvd – Published: 2026-02-04 20:39 – Updated: 2026-02-05 21:03
VLAI
Title
Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| http://github.com/Intermesh/groupoffice/commit/6c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: < 25.0.82 Affected: < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T21:03:20.946470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T21:03:24.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:39:08.039Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"
},
{
"name": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792"
}
],
"source": {
"advisory": "GHSA-579w-jvg7-frr4",
"discovery": "UNKNOWN"
},
"title": "Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25512",
"datePublished": "2026-02-04T20:39:08.039Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-05T21:03:24.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25134 (GCVE-0-2026-25134)
Vulnerability from nvd – Published: 2026-02-02 22:40 – Updated: 2026-02-04 16:53
VLAI
Title
Group-Office Argument Injection in MaintenanceController::actionZipLanguage
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: >= 25.0.0, < 25.0.82 Affected: >= 26.0.0, < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:54:26.783842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:53:26.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T22:40:15.094Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b"
}
],
"source": {
"advisory": "GHSA-v39j-549w-8849",
"discovery": "UNKNOWN"
},
"title": "Group-Office Argument Injection in MaintenanceController::actionZipLanguage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25134",
"datePublished": "2026-02-02T22:40:15.094Z",
"dateReserved": "2026-01-29T14:03:42.540Z",
"dateUpdated": "2026-02-04T16:53:26.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23887 (GCVE-0-2026-23887)
Vulnerability from nvd – Published: 2026-01-21 23:39 – Updated: 2026-01-22 21:52
VLAI
Title
Group-Office has stored XSS vulnerability via unsanitized filenames
Summary
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/3… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/commit/a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.149
Affected: >= 25.0.1, < 25.0.80 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:52:26.742400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:52:37.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.149"
},
{
"status": "affected",
"version": "\u003e= 25.0.1, \u003c 25.0.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T23:39:05.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0"
}
],
"source": {
"advisory": "GHSA-3gj5-gvvr-g6hp",
"discovery": "UNKNOWN"
},
"title": "Group-Office has stored XSS vulnerability via unsanitized filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23887",
"datePublished": "2026-01-21T23:39:05.160Z",
"dateReserved": "2026-01-16T21:02:02.902Z",
"dateUpdated": "2026-01-22T21:52:37.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48993 (GCVE-0-2025-48993)
Vulnerability from nvd – Published: 2025-06-17 00:43 – Updated: 2025-06-17 13:45
VLAI
Title
Group-Office vulnerable to reflected XSS via Look and Feel Formatting input
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/1… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/commit/a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.123
Affected: < 25.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48993",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:41:16.140341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:45:06.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.123"
},
{
"status": "affected",
"version": "\u003c 25.0.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T00:43:35.194Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11"
}
],
"source": {
"advisory": "GHSA-xv2x-v374-92gv",
"discovery": "UNKNOWN"
},
"title": "Group-Office vulnerable to reflected XSS via Look and Feel Formatting input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48993",
"datePublished": "2025-06-17T00:43:35.194Z",
"dateReserved": "2025-05-29T16:34:07.174Z",
"dateUpdated": "2025-06-17T13:45:06.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48992 (GCVE-0-2025-48992)
Vulnerability from nvd – Published: 2025-06-16 22:17 – Updated: 2025-06-17 13:51
VLAI
Title
Group-Office vulnerable to blind XSS
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization > Address books. This issue has been patched in versions 6.8.123 and 25.0.27.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.123
Affected: < 25.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48992",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:50:31.580060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:51:00.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.123"
},
{
"status": "affected",
"version": "\u003c 25.0.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization \u003e Address books. This issue has been patched in versions 6.8.123 and 25.0.27."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T00:29:11.384Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j35g-q5mc-jwgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j35g-q5mc-jwgp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/2e3695db9cdef1da7a9d754ff4d98f49f6924e2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/2e3695db9cdef1da7a9d754ff4d98f49f6924e2d"
}
],
"source": {
"advisory": "GHSA-j35g-q5mc-jwgp",
"discovery": "UNKNOWN"
},
"title": "Group-Office vulnerable to blind XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48992",
"datePublished": "2025-06-16T22:17:28.511Z",
"dateReserved": "2025-05-29T16:34:07.173Z",
"dateUpdated": "2025-06-17T13:51:00.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48369 (GCVE-0-2025-48369)
Vulnerability from nvd – Published: 2025-05-22 17:33 – Updated: 2025-05-22 18:45
VLAI
Title
GroupOffice vulnerable to Stored XSS in Tasks Comment Section
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.119
Affected: < 25.0.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48369",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:45:25.983320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:45:32.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.119"
},
{
"status": "affected",
"version": "\u003c 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice\u0027s tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:33:06.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp"
}
],
"source": {
"advisory": "GHSA-45jj-r48j-75pp",
"discovery": "UNKNOWN"
},
"title": "GroupOffice vulnerable to Stored XSS in Tasks Comment Section"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48369",
"datePublished": "2025-05-22T17:33:06.254Z",
"dateReserved": "2025-05-19T15:46:00.395Z",
"dateUpdated": "2025-05-22T18:45:32.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48368 (GCVE-0-2025-48368)
Vulnerability from nvd – Published: 2025-05-22 17:29 – Updated: 2025-05-22 17:52
VLAI
Title
GroupOffice's DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.119
Affected: < 25.0.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48368",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:51:41.168557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:52:08.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.119"
},
{
"status": "affected",
"version": "\u003c 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim\u0027s browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:31:21.007Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6"
}
],
"source": {
"advisory": "GHSA-c49j-qvp9-vgg6",
"discovery": "UNKNOWN"
},
"title": "GroupOffice\u0027s DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48368",
"datePublished": "2025-05-22T17:29:57.631Z",
"dateReserved": "2025-05-19T15:46:00.394Z",
"dateUpdated": "2025-05-22T17:52:08.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-45551 (GCVE-0-2026-45551)
Vulnerability from cvelistv5 – Published: 2026-05-29 12:34 – Updated: 2026-05-29 13:16
VLAI
Title
Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator's email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator's browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 26.0.1, < 26.0.25
Affected: >= 25.0.1, < 25.0.1005 Affected: < 6.8.165 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T13:16:28.023941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T13:16:31.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0.1, \u003c 26.0.25"
},
{
"status": "affected",
"version": "\u003e= 25.0.1, \u003c 25.0.1005"
},
{
"status": "affected",
"version": "\u003c 6.8.165"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator\u0027s email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator\u0027s browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T12:34:22.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p"
}
],
"source": {
"advisory": "GHSA-9w92-p32g-g99p",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45551",
"datePublished": "2026-05-29T12:34:22.615Z",
"dateReserved": "2026-05-12T17:48:47.880Z",
"dateUpdated": "2026-05-29T13:16:31.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34838 (GCVE-0-2026-34838)
Vulnerability from cvelistv5 – Published: 2026-04-02 19:15 – Updated: 2026-04-03 12:55
VLAI
Title
Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.156
Affected: < 25.0.90 Affected: < 26.0.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T12:55:40.674883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T12:55:48.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.156"
},
{
"status": "affected",
"version": "\u003c 25.0.90"
},
{
"status": "affected",
"version": "\u003c 26.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:15:40.591Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"
}
],
"source": {
"advisory": "GHSA-h22j-frrf-5vxq",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34838",
"datePublished": "2026-04-02T19:15:40.591Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T12:55:48.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33755 (GCVE-0-2026-33755)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:08 – Updated: 2026-03-27 17:23
VLAI
Title
Authenticated SQL Injection in Contact/query addressBookIds filter
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.158
Affected: < 25.0.92 Affected: < 26.0.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T17:23:14.328861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T17:23:30.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.158"
},
{
"status": "affected",
"version": "\u003c 25.0.92"
},
{
"status": "affected",
"version": "\u003c 26.0.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database \u2014 including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:08:38.685Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc"
}
],
"source": {
"advisory": "GHSA-3gc4-5993-c2qc",
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL Injection in Contact/query addressBookIds filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33755",
"datePublished": "2026-03-27T14:08:38.685Z",
"dateReserved": "2026-03-23T18:30:14.125Z",
"dateUpdated": "2026-03-27T17:23:30.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30238 (GCVE-0-2026-30238)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:14 – Updated: 2026-03-09 20:54
VLAI
Title
Group-Office: Reflected XSS in JavaScript context
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.155
Affected: < 25.0.88 Affected: < 26.0.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30238",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:44:43.774910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:28.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.155"
},
{
"status": "affected",
"version": "\u003c 25.0.88"
},
{
"status": "affected",
"version": "\u003c 26.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing \u003c/script\u003e\u003cscript\u003e...\u003c/script\u003e injection and arbitrary JavaScript execution in the victim\u0027s browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:14:03.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v"
}
],
"source": {
"advisory": "GHSA-7p2f-c33m-rv5v",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Reflected XSS in JavaScript context"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30238",
"datePublished": "2026-03-06T21:14:03.149Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:28.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30237 (GCVE-0-2026-30237)
Vulnerability from cvelistv5 – Published: 2026-03-06 21:13 – Updated: 2026-03-09 20:54
VLAI
Title
Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.155
Affected: < 25.0.88 Affected: < 26.0.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30237",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:45:05.972907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:54:28.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.155"
},
{
"status": "affected",
"version": "\u003c 25.0.88"
},
{
"status": "affected",
"version": "\u003c 26.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a \u003ctextarea\u003e, allowing a \u003c/textarea\u003e\u003cscript\u003e...\u003c/script\u003e breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T21:13:33.925Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx"
}
],
"source": {
"advisory": "GHSA-hchr-32xh-x5rx",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30237",
"datePublished": "2026-03-06T21:13:33.925Z",
"dateReserved": "2026-03-04T17:23:59.798Z",
"dateUpdated": "2026-03-09T20:54:28.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27947 (GCVE-0-2026-27947)
Vulnerability from cvelistv5 – Published: 2026-02-27 19:52 – Updated: 2026-03-03 20:24
VLAI
Title
Group-Office Vulnerable to Remote Code Execution (RCE)
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 26.0.0, < 26.0.9
Affected: >= 25.0.0, < 25.0.87 Affected: < 6.8.154 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:24:24.671913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:24:32.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.9"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.87"
},
{
"status": "affected",
"version": "\u003c 6.8.154"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:52:41.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x"
}
],
"source": {
"advisory": "GHSA-2rwh-9qp7-f92x",
"discovery": "UNKNOWN"
},
"title": "Group-Office Vulnerable to Remote Code Execution (RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27947",
"datePublished": "2026-02-27T19:52:41.592Z",
"dateReserved": "2026-02-25T03:11:36.690Z",
"dateUpdated": "2026-03-03T20:24:32.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27832 (GCVE-0-2026-27832)
Vulnerability from cvelistv5 – Published: 2026-02-27 19:49 – Updated: 2026-03-02 12:56
VLAI
Title
Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.153
Affected: >= 25.0.0, < 25.0.87 Affected: >= 26.0.0, < 26.0.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T12:56:25.529218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T12:56:47.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.153"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.87"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:49:57.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vfgv-8w8v-qpxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vfgv-8w8v-qpxr"
}
],
"source": {
"advisory": "GHSA-vfgv-8w8v-qpxr",
"discovery": "UNKNOWN"
},
"title": "Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27832",
"datePublished": "2026-02-27T19:49:57.867Z",
"dateReserved": "2026-02-24T02:32:39.800Z",
"dateUpdated": "2026-03-02T12:56:47.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25511 (GCVE-0-2026-25511)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:40 – Updated: 2026-02-05 21:02
VLAI
Title
Group-Office is vulnerable to SSRF and File Read in WOPI service discovery
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: < 25.0.82 Affected: < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25511",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T21:02:18.815073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T21:02:22.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built\u2011in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:40:04.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3"
}
],
"source": {
"advisory": "GHSA-r9v4-jm2r-r9pm",
"discovery": "UNKNOWN"
},
"title": "Group-Office is vulnerable to SSRF and File Read in WOPI service discovery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25511",
"datePublished": "2026-02-04T20:40:04.317Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-05T21:02:22.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25512 (GCVE-0-2026-25512)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:39 – Updated: 2026-02-05 21:03
VLAI
Title
Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| http://github.com/Intermesh/groupoffice/commit/6c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: < 25.0.82 Affected: < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T21:03:20.946470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T21:03:24.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:39:08.039Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"
},
{
"name": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792"
}
],
"source": {
"advisory": "GHSA-579w-jvg7-frr4",
"discovery": "UNKNOWN"
},
"title": "Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25512",
"datePublished": "2026-02-04T20:39:08.039Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-05T21:03:24.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25134 (GCVE-0-2026-25134)
Vulnerability from cvelistv5 – Published: 2026-02-02 22:40 – Updated: 2026-02-04 16:53
VLAI
Title
Group-Office Argument Injection in MaintenanceController::actionZipLanguage
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.150
Affected: >= 25.0.0, < 25.0.82 Affected: >= 26.0.0, < 26.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:54:26.783842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:53:26.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.150"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.82"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T22:40:15.094Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b"
}
],
"source": {
"advisory": "GHSA-v39j-549w-8849",
"discovery": "UNKNOWN"
},
"title": "Group-Office Argument Injection in MaintenanceController::actionZipLanguage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25134",
"datePublished": "2026-02-02T22:40:15.094Z",
"dateReserved": "2026-01-29T14:03:42.540Z",
"dateUpdated": "2026-02-04T16:53:26.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23887 (GCVE-0-2026-23887)
Vulnerability from cvelistv5 – Published: 2026-01-21 23:39 – Updated: 2026-01-22 21:52
VLAI
Title
Group-Office has stored XSS vulnerability via unsanitized filenames
Summary
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/3… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/commit/a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.149
Affected: >= 25.0.1, < 25.0.80 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T21:52:26.742400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T21:52:37.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.149"
},
{
"status": "affected",
"version": "\u003e= 25.0.1, \u003c 25.0.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T23:39:05.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0"
}
],
"source": {
"advisory": "GHSA-3gj5-gvvr-g6hp",
"discovery": "UNKNOWN"
},
"title": "Group-Office has stored XSS vulnerability via unsanitized filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23887",
"datePublished": "2026-01-21T23:39:05.160Z",
"dateReserved": "2026-01-16T21:02:02.902Z",
"dateUpdated": "2026-01-22T21:52:37.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48993 (GCVE-0-2025-48993)
Vulnerability from cvelistv5 – Published: 2025-06-17 00:43 – Updated: 2025-06-17 13:45
VLAI
Title
Group-Office vulnerable to reflected XSS via Look and Feel Formatting input
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/1… | x_refsource_MISC |
| https://github.com/Intermesh/groupoffice/commit/a… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.123
Affected: < 25.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48993",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:41:16.140341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:45:06.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.123"
},
{
"status": "affected",
"version": "\u003c 25.0.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T00:43:35.194Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11"
}
],
"source": {
"advisory": "GHSA-xv2x-v374-92gv",
"discovery": "UNKNOWN"
},
"title": "Group-Office vulnerable to reflected XSS via Look and Feel Formatting input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48993",
"datePublished": "2025-06-17T00:43:35.194Z",
"dateReserved": "2025-05-29T16:34:07.174Z",
"dateUpdated": "2025-06-17T13:45:06.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48992 (GCVE-0-2025-48992)
Vulnerability from cvelistv5 – Published: 2025-06-16 22:17 – Updated: 2025-06-17 13:51
VLAI
Title
Group-Office vulnerable to blind XSS
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization > Address books. This issue has been patched in versions 6.8.123 and 25.0.27.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
| https://github.com/Intermesh/groupoffice/commit/2… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.123
Affected: < 25.0.27 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48992",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:50:31.580060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:51:00.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.123"
},
{
"status": "affected",
"version": "\u003c 25.0.27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a stored and blind cross-site scripting (XSS) vulnerability exists in the Name Field of the user profile. A malicious attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization \u003e Address books. This issue has been patched in versions 6.8.123 and 25.0.27."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T00:29:11.384Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j35g-q5mc-jwgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j35g-q5mc-jwgp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/2e3695db9cdef1da7a9d754ff4d98f49f6924e2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/2e3695db9cdef1da7a9d754ff4d98f49f6924e2d"
}
],
"source": {
"advisory": "GHSA-j35g-q5mc-jwgp",
"discovery": "UNKNOWN"
},
"title": "Group-Office vulnerable to blind XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48992",
"datePublished": "2025-06-16T22:17:28.511Z",
"dateReserved": "2025-05-29T16:34:07.173Z",
"dateUpdated": "2025-06-17T13:51:00.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48369 (GCVE-0-2025-48369)
Vulnerability from cvelistv5 – Published: 2025-05-22 17:33 – Updated: 2025-05-22 18:45
VLAI
Title
GroupOffice vulnerable to Stored XSS in Tasks Comment Section
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice's tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.119
Affected: < 25.0.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48369",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:45:25.983320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:45:32.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.119"
},
{
"status": "affected",
"version": "\u003c 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice\u0027s tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:33:06.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-45jj-r48j-75pp"
}
],
"source": {
"advisory": "GHSA-45jj-r48j-75pp",
"discovery": "UNKNOWN"
},
"title": "GroupOffice vulnerable to Stored XSS in Tasks Comment Section"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48369",
"datePublished": "2025-05-22T17:33:06.254Z",
"dateReserved": "2025-05-19T15:46:00.395Z",
"dateUpdated": "2025-05-22T18:45:32.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48368 (GCVE-0-2025-48368)
Vulnerability from cvelistv5 – Published: 2025-05-22 17:29 – Updated: 2025-05-22 17:52
VLAI
Title
GroupOffice's DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Intermesh/groupoffice/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.119
Affected: < 25.0.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48368",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:51:41.168557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:52:08.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.119"
},
{
"status": "affected",
"version": "\u003c 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim\u0027s browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:31:21.007Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-c49j-qvp9-vgg6"
}
],
"source": {
"advisory": "GHSA-c49j-qvp9-vgg6",
"discovery": "UNKNOWN"
},
"title": "GroupOffice\u0027s DOM-Based XSS in all Date Input Fields Allows Arbitrary JavaScript Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48368",
"datePublished": "2025-05-22T17:29:57.631Z",
"dateReserved": "2025-05-19T15:46:00.394Z",
"dateUpdated": "2025-05-22T17:52:08.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}