injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.", "datePublished": "2026-03-06T21:14:03Z", "dateModified": "2026-03-09T20:54:28Z", "keywords": "CVE-2026-30238, vulnerability, CVE, security, groupoffice, Intermesh", "about": { "@type": "SoftwareApplication", "name": "groupoffice", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2026-30238 MEDIUM

CVE-2026-30238: Group-Office: Reflected XSS in JavaScript context

Vendor Intermesh
Product groupoffice
Weakness CWE-79 · XSS
Published March 6, 2026
Last update March 9, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.

Key dates

Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated