Cross-Site Scripting Vulnerability in GROWI by GROWI Co.
CVE-2025-54806

5.1MEDIUM

Key Information:

Vendor: Growi, Inc.
Status: Growi
Vendor: CVE Published:; 23 October 2025

🔔 Create Growi, Inc. Vulnerability Alert

What is CVE-2025-54806?

GROWI versions up to and including v4.2.7 contain a cross-site scripting (XSS) vulnerability in the page alert function. This flaw allows an attacker to craft a malicious URL, which, when accessed by an authenticated user, can execute arbitrary scripts in their web browser. Such an exploit could lead to unauthorized access to sensitive information or actions taken on behalf of the user. It is crucial for users to be aware of this vulnerability and to implement the necessary updates to secure their applications.

Affected Version(s)

GROWI v4.2.7 and earlier

References

https://growi.co.jp/news/38/

https://jvn.jp/en/jp/JVN46526244/

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2025
Vulnerability Reserved
Oct 15, 2025

JSON