What is CVE-2026-34838?

CVE-2026-34838 is a critical-severity vulnerability in Intermesh Groupoffice, classified under Deserialization of Untrusted Data. CVSS score: 10.0/10. Published 2026-04-02.

How severe is CVE-2026-34838?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2026-34838 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Intermesh Groupoffice

CVE-2026-34838

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settin…

Vulnerability class: Insecure Deserialization

EPSS: 0.003 (51.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Intermesh Groupoffice — versions < 6.8.156, < 25.0.90, < 26.0.12

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

bamuwe/CVE-2026-34838

References

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq (x_refsource_CONFIRM)
https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90 (x_refsource_MISC)
https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12 (x_refsource_MISC)
https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34838?: CVE-2026-34838 is a critical-severity vulnerability in Intermesh Groupoffice, classified under Deserialization of Untrusted Data. CVSS score: 10.0/10. Published 2026-04-02.
How severe is CVE-2026-34838?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2026-34838 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.