CVE-2026-30238

Medium CVSS: 5.1

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

Vendor

Intermesh

Product

Group-office

CWE

CWE-79

Yayın Tarihi

2026-03-06 22:16:01

Güncelleme

2026-03-11 13:32:48

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Group Office MEDIUM Intermesh 2026

Referanslar

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v

Benzer Kayıtlar

Low

CVE-2026-30237

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, a…

High

CVE-2026-27832

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, an…

Critical

CVE-2026-27947

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, an…

Medium

CVE-2025-48993

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27…

Medium

CVE-2025-48992

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27…

Medium

CVE-2025-48366

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20…