Unrated severityOSV Advisory· Published Jan 21, 2026· Updated Jan 22, 2026

Group-Office has stored XSS vulnerability via unsanitized filenames

CVE-2026-23887

Description

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.

Affected products

Intermesh/GroupofficeOSV
Range: v6.3.1, v6.3.10, v6.3.11, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40fmitrex_refsource_MISC
github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0mitrex_refsource_MISC
github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000