Group-Office Installer Allows Malicious Code Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.1

Group-Office Installer Allows Malicious Code Injection

CVE-2026-30237

Summary

Using certain types of malicious links, an attacker could inject code that executes on a victim's computer, potentially leading to data theft or other security issues. If you use Group-Office, update to version 6.8.155 or later to protect your system. This issue has been fixed in the latest versions.

Original title

Original description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

nvd CVSS4.0 2.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx

Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026