Description
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.
Published: 2026-05-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in GROWI v7.5.0 and earlier allows an attacker to craft a request that references directories outside the intended file scope. When the email server component is enabled, this flaw enables the attacker to instruct the server to render arbitrary EJS templates, which are executed with the same privileges as the web application and can run arbitrary JavaScript code on the host.

Affected Systems

GROWI Inc. GROWI, versions 7.5.0 and earlier are affected by this vulnerability.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity. Although the EPSS score is below 1 %, indicating a low probability of widespread exploitation, the vulnerability is not yet listed in the CISA KEV catalogue. The likely attack vector is local or requires an attacker who can influence the email server component, as the flaw is exploitable only when the server is running. Successful exploitation would give the attacker full control over the application’s runtime environment, leading to compromise of the underlying system.

Generated by OpenCVE AI on May 11, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 7.5.0 where the traversal check has been applied
  • If an upgrade cannot be performed immediately, disable or remove the email server component to stop the exploit path
  • Restrict the file system permissions of the GROWI process to enforce the principle of least privilege, preventing arbitrary file access

Generated by OpenCVE AI on May 11, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Growi
Growi growi
Vendors & Products Growi
Growi growi

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Title Path Traversal Allowing Arbitrary EJS Template Execution in GROWI

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Growi Growi
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-11T12:43:07.550Z

Reserved: 2026-04-27T08:21:56.914Z

Link: CVE-2026-41951

cve-icon Vulnrichment

Updated: 2026-05-11T12:43:02.844Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T10:16:13.913

Modified: 2026-05-12T15:10:27.993

Link: CVE-2026-41951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:19Z

Weaknesses