CVE-2026-27947

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:intermesh:group-office::::::::
	cpe:2.3:a:intermesh:group-office::::::::
	cpe:2.3:a:intermesh:group-office::::::::

History

04 Mar 2026, 16:07

Type	Values Removed	Values Added
References	~~() https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x -~~	() https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x - Vendor Advisory
First Time		Intermesh Intermesh group-office
CPE		cpe:2.3:a:intermesh:group-office::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

27 Feb 2026, 20:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 20:21

Updated : 2026-03-04 16:07

NVD link : CVE-2026-27947

Mitre link : CVE-2026-27947

CVE.ORG link : CVE-2026-27947

JSON object : View

Products Affected

intermesh

group-office

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-27947", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-27T20:21:40.513", "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-88"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue."}], "lastModified": "2026-03-04T16:07:30.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7884A40-14BE-4D43-BAF3-12175EEB863D", "versionEndExcluding": "6.8.154"}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0895EF8-BAFE-41A6-90CE-EFAFBCE273D5", "versionEndExcluding": "25.0.87", "versionStartIncluding": "25.0.1"}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DFBE230-B5B4-4163-B441-E9D0446D05DA", "versionEndExcluding": "26.0.9", "versionStartIncluding": "26.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}