CVE-2026-25134 CRITICAL

CVE-2026-25134: Group-Office Argument Injection in MaintenanceController::actionZipLanguage

Vendor Intermesh
Product groupoffice
Weakness CWE-88
Published February 2, 2026
Last update February 4, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5.

Key dates

02Disclosure timeline

February 2, 2026 CVE published
February 4, 2026 Record updated