Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026
Group-Office: Reflected XSS in JavaScript context
CVE-2026-30238
Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
Affected products
2- Range: <= 6.8.154, <= 25.0.87, <= 26.0.9
- Range: < 6.8.155
Patches
Vulnerability mechanics
References
1- github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.