CVE-2026-25512

Critical CVSS: 9.4

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

Vendor

Group-office

Product

Group Office

CWE

CWE-78

Yayın Tarihi

2026-02-04 21:16:02

Güncelleme

2026-02-11 19:15:49

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Group Office CRITICAL Group-office 2026

Referanslar

http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4 https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4

Benzer Kayıtlar

High

CVE-2026-25511

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, a…

Critical

CVE-2026-25134

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5…

Medium

CVE-2026-23887

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25…

High

CVE-2025-63406

An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitra…

Medium

CVE-2025-53505

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerabil…

Medium

CVE-2025-53504

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vuln…