CVE-2026-23887
Stored XSS in Group-Office via Unsanitized Filenames
Publication date: 2026-01-22
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| group-office | group_office | to 6.8.149 (exc) |
| group-office | group_office | From 25.0.1 (inc) to 25.0.80 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23887 is a Stored Cross-Site Scripting (XSS) vulnerability in the Group-Office application. It occurs because the application stores filenames without properly sanitizing or encoding them before displaying in the web interface. Malicious users can craft filenames containing embedded HTML or JavaScript code, which then executes in the browsers of users who view these filenames. This happens during file upload and viewing processes, allowing attackers to run scripts in the context of the victim's session. The vulnerability was fixed by applying proper HTML encoding (using htmlspecialchars) to filename-related fields before rendering them. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious JavaScript code in their browsers when they view specially crafted filenames in Group-Office. This can lead to session interference, unauthorized actions performed in the browser, and potential compromise of user sessions. The attack requires low privileges and some user interaction (opening the file), and it has a moderate severity with a CVSS score of 5.1. The confidentiality and integrity of the affected system can be impacted, but availability is not affected. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious or suspicious filenames containing embedded HTML or JavaScript code in the Group-Office file storage or database. A practical approach is to search for filenames with suspicious patterns such as <script> tags or event handlers like 'onerror'. For example, you can run commands to find such filenames in the file storage or database exports. Example commands include: 1) Using grep to find suspicious filenames in file storage directories: grep -r -i -E '<script|onerror|javascript:' /path/to/groupoffice/files 2) Querying the database for filenames containing suspicious patterns (SQL example): SELECT filename FROM files WHERE filename LIKE '%<script%' OR filename LIKE '%onerror%' OR filename LIKE '%javascript:%'; These commands help identify potentially malicious filenames that could trigger the stored XSS vulnerability when viewed in the application. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Group-Office to a fixed version: at least version 6.8.149 or 25.0.80, where the vulnerability is patched. 2) Apply the patch that sanitizes filenames and file extensions using htmlspecialchars() to neutralize any embedded HTML or JavaScript before rendering. 3) As a temporary measure, avoid opening or interacting with files that have suspicious filenames until the patch or upgrade is applied. 4) Review and sanitize existing filenames in the database or file storage to remove or rename any maliciously crafted filenames. These steps will prevent execution of stored XSS payloads embedded in filenames and protect users from session compromise or unauthorized browser actions. [1, 2, 3]