CVE-2026-30238
Group-Office: Reflected XSS in JavaScript context
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.
| CWE | CWE-79 |
| Vendor | intermesh |
| Product | groupoffice |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for intermesh groupoffice
Be the first to know when new unknown vulnerabilities affecting intermesh groupoffice are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Intermesh / groupoffice
< 6.8.155 < 25.0.88 < 26.0.10