CVE-2026-26291
Description
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GROWI file upload allows arbitrary script execution when other users view crafted files.
Vulnerability
GROWI v7.4.6 and earlier contain a stored cross-site scripting (XSS) vulnerability in the file upload functionality. An attacker can upload a crafted HTML file that, when accessed by another user, executes arbitrary scripts in the user's browser [1][2].
Exploitation
To exploit this vulnerability, the attacker must have login access to the GROWI instance. The attacker uploads a malicious HTML file, and when other users view the file, the script runs. The attack requires user interaction (viewing the file). If files are served from an external domain like S3, direct cookie theft from the GROWI domain is limited [1].
Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to phishing, defacement, or other malicious actions. The CVSS v3 base score is 5.4 (Medium) [2].
Mitigation
The vulnerability is fixed in GROWI v7.4.7. This version introduces Content-Disposition header control, forcing downloads for unallowed MIME types, preventing script execution in the browser. Users should update immediately [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.