CVE-2026-30237
Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
| CWE | CWE-79 |
| Vendor | intermesh |
| Product | groupoffice |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for intermesh groupoffice
Be the first to know when new unknown vulnerabilities affecting intermesh groupoffice are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Intermesh / groupoffice
< 6.8.155 < 25.0.88 < 26.0.10