VYPR
injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30238"]},"keywords":"CVE-2026-30238, Intermesh Group Office Groupware, Intermesh Groupoffice","mentions":[{"@type":"SoftwareApplication","name":"Group Office Groupware","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Intermesh"}},{"@type":"SoftwareApplication","name":"Groupoffice","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Intermesh"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-30238","item":"https://portal.vyprsec.ai/cves/CVE-2026-30238"}]}]}
Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

Group-Office: Reflected XSS in JavaScript context

CVE-2026-30238

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.