Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 3, 2026

Group-Office Vulnerable to Remote Code Execution (RCE)

CVE-2026-27947

Description

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from winmail.dat and then invokes zip with a shell wildcard (*). Because extracted filenames are attacker-controlled, they can be interpreted as zip options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.

Affected products

Intermesh/Groupofficev5
Range: >= 26.0.0, < 26.0.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92xmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000