Reflected XSS Vulnerability in Group-Office Installer Affects Enterprise CRM Tools
CVE-2026-30237

2.1LOW

Key Information:

Vendor: Intermesh
Status: Groupoffice
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-30237?

Group-Office, an enterprise CRM and groupware solution, has a reflected cross-site scripting vulnerability located in its installer. This vulnerability exists in versions prior to 6.8.155, 25.0.88, and 26.0.10 due to the lack of proper escaping in the installer script, specifically in the endpoint install/license.php. Specifically, the POST field 'license' can be manipulated to execute arbitrary scripts, creating a potential for malicious exploitation. Users are advised to upgrade to the patched versions to mitigate the risk associated with this vulnerability.

Affected Version(s)

groupoffice < 6.8.155 < 6.8.155

groupoffice < 25.0.88 < 25.0.88

groupoffice < 26.0.10 < 26.0.10

References

https://github.com/Intermesh/groupoffice/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-30237 Data

JSON