Description
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
Published: 2026-04-15
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Execution
Action: Apply Patch
AI Analysis

Impact

GROWI versions 7.4.6 and earlier suffer a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into the system’s database. When a victim later views a page that renders the malicious content, the script runs in the victim’s browser with the user’s privileges, potentially enabling cookie theft, session hijacking or defacement of the displayed page. This is a classic stored XSS described as CWE‑79.

Affected Systems

The affected product is GROWI by GROWI Inc. The vulnerability exists in all releases up to and including v7.4.6. No information is provided about a patch release, so administrators should verify whether a newer version is available.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet become a widely exploited threat. It is inferred that the attack vector requires an attacker to create or modify content that will be displayed to other users; when that content is rendered, the malicious script executes in the victim’s browser. The potential impact includes data theft, session hijack, and site defacement, and could affect any user who views the injected content.

Generated by OpenCVE AI on April 15, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GROWI to a version newer than 7.4.6 when a vendor patch is released.
  • If a patch is unavailable, configure input sanitization to escape or strip disallowed script content when storing and displaying user data.
  • Implement a Content Security Policy that limits script execution to trusted sources and disallows inline scripts.
  • Restrict or disable the ability for ordinary users to create or edit content that is rendered without proper escaping.

Generated by OpenCVE AI on April 15, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Growi
Growi growi
Vendors & Products Growi
Growi growi

Wed, 15 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Growi Growi
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-15T16:13:20.770Z

Reserved: 2026-04-10T06:02:38.943Z

Link: CVE-2026-26291

cve-icon Vulnrichment

Updated: 2026-04-15T13:32:53.385Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T05:16:25.597

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-26291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses