Group-Office: Malicious Code Can Run in Your Browser

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

Group-Office: Malicious Code Can Run in Your Browser

CVE-2026-30238

Summary

Group-Office's customer relationship management tool has a security flaw that allows hackers to inject code into users' browsers, potentially stealing sensitive information or taking control of the browser. If you're using an earlier version, update to 6.8.155, 25.0.88, or 26.0.10 to fix the issue.

Original title

Original description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v

Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026