CVE-2026-23887 — MEDIUM (5.4)

Q: How severe is CVE-2026-23887?

CVE-2026-23887 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-23887?

Check the references section above for vendor advisories and patch information. Affected products include: Group-Office Group Office.

Vulnerability Description

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Group-Office	Group Office	< 6.8.149

Related Weaknesses (CWE)

CWE-20 CWE-79

References

FAQ

What is CVE-2026-23887?

CVE-2026-23887 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the databa...

How severe is CVE-2026-23887?

CVE-2026-23887 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-23887?

Check the references section above for vendor advisories and patch information. Affected products include: Group-Office Group Office.