Description
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.
Published: 2026-01-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability occurs when the application stores file names that have not been sanitized, allowing an attacker to embed malicious script code into the metadata stored for a file. When a user opens or views that file, the embedded script is executed in the user's browser, which can break session integrity or cause unintended browser actions. The vulnerability is a classic stored XSS flaw and is classified as input validation and cross‑site scripting (CWE‑20, CWE‑79).

Affected Systems

Intermesh Group‑Office 6.8.148 and earlier, as well as 25.0.1 through 25.0.79 are affected. The fix is available in 6.8.149 and 25.0.80.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact, while the EPSS score of <1% suggests exploitation is unlikely in the short term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious file name during an upload or file‑creation operation, after which the victim must interact with the file in the application. The risk is confined to the file‑viewing context but can still be used to interfere with user sessions or trigger unexpected client‑side behavior.

Generated by OpenCVE AI on April 18, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Group‑Office 6.8.149 or 25.0.80, which contain a fix that sanitizes file names
  • Configure file upload controls to reject filenames containing script tags or special characters before they are stored
  • Audit existing files for potentially malicious names and clean or delete any that appear suspicious

Generated by OpenCVE AI on April 18, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Group-office
Group-office group Office
CPEs cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*
Vendors & Products Group-office
Group-office group Office
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.
Title Group-Office has stored XSS vulnerability via unsanitized filenames
Weaknesses CWE-20
CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Group-office Group Office
Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:52:37.524Z

Reserved: 2026-01-16T21:02:02.902Z

Link: CVE-2026-23887

cve-icon Vulnrichment

Updated: 2026-01-22T21:52:33.299Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T00:15:51.930

Modified: 2026-02-18T15:03:12.833

Link: CVE-2026-23887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses