Stored XSS Vulnerability in Group-Office CRM Tool
CVE-2026-45551

5.1MEDIUM

Key Information:

Vendor: Intermesh
Status: Groupoffice
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45551?

Group-Office, an enterprise CRM and groupware tool by Intermesh, has a stored XSS vulnerability that allows low-privileged authenticated users to persist unauthorized settings. This occurs through an insecure parameter in the saveSetting endpoint and an unescaped JavaScript injection in the email module. An attacker can exploit this vulnerability to overwrite the email font size setting of an administrator, leading to a JavaScript payload execution in the administrator's browser. The issue affects versions prior to 26.0.25, 25.0.100, and 6.8.165, and has been patched in these releases.

Affected Version(s)

groupoffice >= 26.0.1, < 26.0.25 < 26.0.1, 26.0.25

groupoffice >= 25.0.1, < 25.0.1005 < 25.0.1, 25.0.1005

groupoffice < 6.8.165 < 6.8.165

References

https://github.com/Intermesh/groupoffice/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45551 Data

JSON