QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-30238

Back to search

CVE-2026-30238

Published: Mar 6, 2026

Modified: Mar 9, 2026

PUBLISHED

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

VendorProductVersions

Intermesh

groupoffice

affected
< 6.8.155
affected
< 25.0.88
affected
< 26.0.10

Weaknesses (CWE)

CWE-79

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now