Path Traversal Vulnerability in GROWI by GROWI, Inc.
CVE-2026-41951

8.6HIGH

Key Information:

Vendor: Growi, Inc.
Status: Growi
Vendor: CVE Published:; 11 May 2026

🔔 Create Growi, Inc. Vulnerability Alert

What is CVE-2026-41951?

A path traversal vulnerability in GROWI v7.5.0 and earlier enables potential attackers to manipulate file paths, which may facilitate the execution of arbitrary EJS templates on the server. This issue arises specifically when an email server is configured within the GROWI application, leading to potential exposure of sensitive server-side content. Proper remediation is essential to mitigate risks associated with this vulnerability.

Affected Version(s)

GROWI v7.5.0 and earlier

References

https://growi.co.jp/news/44/

https://jvn.jp/jp/JVN38788367/

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-41951 Data

JSON