Stored Cross-Site Scripting Vulnerability in GROWI by Hishidama
CVE-2026-26291

4.8MEDIUM

Key Information:

Vendor: Growi, Inc.
Status: Growi
Vendor: CVE Published:; 15 April 2026

🔔 Create Growi, Inc. Vulnerability Alert

What is CVE-2026-26291?

A stored cross-site scripting vulnerability exists in GROWI versions 7.4.6 and earlier, allowing an attacker to inject arbitrary scripts. Once executed in a user's web browser, this can lead to unauthorized access, data theft, or session hijacking. Web administrators are advised to update to the latest version to mitigate potential security risks.

Affected Version(s)

GROWI v7.4.6 and earlier

References

https://growi.co.jp/news/43/

https://jvn.jp/en/jp/JVN62079296/

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-26291 Data

JSON