Intermesh groupoffice up to 6.8.148/25.0.79 File cross site scripting

Summaryinfo

A vulnerability was found in Intermesh groupoffice up to 6.8.148/25.0.79. It has been declared as problematic. Affected is an unknown function of the component File Handler. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2026-23887. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Intermesh groupoffice up to 6.8.148/25.0.79. Affected is some unknown processing of the component File Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-23887 since 01/16/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Upgrading to version 6.8.149 or 25.0.80 eliminates this vulnerability.

The vulnerability is also documented in the databases at CNNVD (CNNVD-202601-3450) and EUVD (EUVD-2026-4201). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Intermesh

Name

• groupoffice

Version

• 6.8.148
• 25.0.0
• 25.0.1
• 25.0.2
• 25.0.3
• 25.0.4
• 25.0.5
• 25.0.6
• 25.0.7
• 25.0.8
• 25.0.9
• 25.0.10
• 25.0.11
• 25.0.12
• 25.0.13
• 25.0.14
• 25.0.15
• 25.0.16
• 25.0.17
• 25.0.18
• 25.0.19
• 25.0.20
• 25.0.21
• 25.0.22
• 25.0.23
• 25.0.24
• 25.0.25
• 25.0.26
• 25.0.27
• 25.0.28
• 25.0.29
• 25.0.30
• 25.0.31
• 25.0.32
• 25.0.33
• 25.0.34
• 25.0.35
• 25.0.36
• 25.0.37
• 25.0.38
• 25.0.39
• 25.0.40
• 25.0.41
• 25.0.42
• 25.0.43
• 25.0.44
• 25.0.45
• 25.0.46
• 25.0.47
• 25.0.48
• 25.0.49
• 25.0.50
• 25.0.51
• 25.0.52
• 25.0.53
• 25.0.54
• 25.0.55
• 25.0.56
• 25.0.57
• 25.0.58
• 25.0.59
• 25.0.60
• 25.0.61
• 25.0.62
• 25.0.63
• 25.0.64
• 25.0.65
• 25.0.66
• 25.0.67
• 25.0.68
• 25.0.69
• 25.0.70
• 25.0.71
• 25.0.72
• 25.0.73
• 25.0.74
• 25.0.75
• 25.0.76
• 25.0.77
• 25.0.78
• 25.0.79

Website

• Product: https://github.com/Intermesh/groupoffice/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion