CVE-2026-30238

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30238
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
History

11 Mar 2026, 13:32

Type Values Removed Values Added
First Time Intermesh
Intermesh group-office
CPE cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
References () https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v - () https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v - Exploit, Vendor Advisory
Summary
  • (es) Group-Office es una herramienta empresarial de gestión de relaciones con los clientes y groupware. Antes de las versiones 6.8.155, 25.0.88 y 26.0.10, existe una vulnerabilidad XSS reflejada en GroupOffice en el flujo externo/índice. El parámetro f (Base64 JSON) se decodifica y luego se inyecta en un bloque JavaScript en línea sin un escape estricto, lo que permite la inyección y la ejecución arbitraria de JavaScript en el navegador de la víctima. Este problema se ha corregido en las versiones 6.8.155, 25.0.88 y 26.0.10.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

06 Mar 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-06 22:16

Updated : 2026-03-11 13:32

NVD link : CVE-2026-30238

Mitre link : CVE-2026-30238

CVE.ORG link : CVE-2026-30238

JSON object : View

Products Affected

intermesh

  • group-office
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')