Description
Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords.
Published: 2026-02-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Password reset via XSS in email function
Action: Patch
AI Analysis

Impact

Cybozu Garoon versions 5.0.0 through 6.0.3 contain a cross‑site scripting flaw in the email handling component that enables an attacker to inject malicious scripts. The injected scripts can trigger password‑reset functionality for arbitrary users, effectively allowing an attacker to take over other accounts. The weakness falls under CWE‑79 and impacts the integrity of user credentials and the availability of legitimate accounts.

Affected Systems

The affected product is Cybozu Garoon, produced by Cybozu, Inc., for all releases between 5.0.0 and 6.0.3 inclusive. These are internal collaboration and project‑management platforms used by organizations that host Garoon on their own infrastructure.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% signals exceedingly low exploitation probability at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. While the official attack vector is not stated, it is inferred that an attacker could embed the XSS payload in an email sent through Garoon’s email function, thereby executing the malicious script in the target’s browser when the email is viewed.

Generated by OpenCVE AI on April 18, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade to a version later than 6.0.3 that resolves the XSS bug
  • Configure the email component to sanitize or whitelist HTML content and disallow script tags
  • Implement a content‑security‑policy header for Garoon web pages to restrict script execution
  • Audit logging of password‑reset requests to detect unauthorized activity

Generated by OpenCVE AI on April 18, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Garoon Email Enables Password Reset for Any User

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cybozu:garoon:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Cybozu
Cybozu cybozu Garoon
Cybozu garoon
Vendors & Products Cybozu
Cybozu cybozu Garoon
Cybozu garoon

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cybozu Cybozu Garoon Garoon
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-02T16:28:24.555Z

Reserved: 2026-01-27T00:30:57.072Z

Link: CVE-2026-20711

cve-icon Vulnrichment

Updated: 2026-02-02T16:05:16.230Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T07:16:45.100

Modified: 2026-02-19T15:06:02.143

Link: CVE-2026-20711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses