breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.", "datePublished": "2026-03-06T21:13:33Z", "dateModified": "2026-03-09T20:54:28Z", "keywords": "CVE-2026-30237, vulnerability, CVE, security, groupoffice, Intermesh", "about": { "@type": "SoftwareApplication", "name": "groupoffice", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2026-30237 LOW

CVE-2026-30237: Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)

Vendor Intermesh
Product groupoffice
Weakness CWE-79 · XSS
Published March 6, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

Key dates

Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated