XSS in Intermesh Groupoffice

CVE-2026-23887

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (13.8th percentile) — read the EPSS interpretation.

Affected products

Intermesh Groupoffice — versions < 6.8.149, >= 25.0.1, < 25.0.80

Weakness classification (CWE)

References

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp (x_refsource_CONFIRM)
https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f (x_refsource_MISC)
https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0 (x_refsource_MISC)