Stored Cross-Site Scripting Vulnerability in Group-Office CRM Tool
CVE-2026-23887

5.1MEDIUM

Key Information:

Vendor

Intermesh

Status
Groupoffice
Vendor
CVE Published:
21 January 2026

What is CVE-2026-23887?

Group-Office, a customer relationship management and groupware tool, is susceptible to a Stored Cross-Site Scripting vulnerability. In versions 6.8.148 and lower, along with versions 25.0.1 to 25.0.79, the application improperly handles unsanitized filenames stored in its database. This flaw permits malicious users to exploit sessions by crafting specially designed filenames, leading to potential interference with user interactions within the application. The risk persists, particularly in file-viewing scenarios, although it is confined to that context. The issue has been resolved in subsequent versions 6.8.149 and 25.0.80.

Affected Version(s)

groupoffice < 6.8.149 < 6.8.149

groupoffice >= 25.0.1, < 25.0.80 < 25.0.1, 25.0.80

References

https://github.com/Intermesh/groupoffice/security/advisor...
x_refsource_CONFIRM
https://github.com/Intermesh/groupoffice/commit/3fa40d7ed...
x_refsource_MISC
https://github.com/Intermesh/groupoffice/commit/ac91b1281...
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.