QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-27947

Back to search

CVE-2026-27947

Published: Feb 27, 2026

Modified: Mar 3, 2026

PUBLISHED

Description

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.

VendorProductVersions

Intermesh

groupoffice

affected
>= 26.0.0, < 26.0.9
affected
>= 25.0.0, < 25.0.87
affected
< 6.8.154

Weaknesses (CWE)

CWE-88
CWE-434

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now