QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-25512

Back to search

CVE-2026-25512

Published: Feb 4, 2026

Modified: Feb 5, 2026

PUBLISHED

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

VendorProductVersions

Intermesh

groupoffice

affected
< 6.8.150
affected
< 25.0.82
affected
< 26.0.5

Weaknesses (CWE)

CWE-78

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now