CVE-2026-23887
Unknown Unknown - Not Provided
Stored XSS in Group-Office via Unsanitized Filenames

Publication date: 2026-01-22

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23887
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
group-office group_office to 6.8.149 (exc)
group-office group_office From 25.0.1 (inc) to 25.0.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23887 is a Stored Cross-Site Scripting (XSS) vulnerability in the Group-Office application. It occurs because the application stores filenames without properly sanitizing or encoding them before displaying in the web interface. Malicious users can craft filenames containing embedded HTML or JavaScript code, which then executes in the browsers of users who view these filenames. This happens during file upload and viewing processes, allowing attackers to run scripts in the context of the victim's session. The vulnerability was fixed by applying proper HTML encoding (using htmlspecialchars) to filename-related fields before rendering them. [1, 2, 3]

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious JavaScript code in their browsers when they view specially crafted filenames in Group-Office. This can lead to session interference, unauthorized actions performed in the browser, and potential compromise of user sessions. The attack requires low privileges and some user interaction (opening the file), and it has a moderate severity with a CVSS score of 5.1. The confidentiality and integrity of the affected system can be impacted, but availability is not affected. [3]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious or suspicious filenames containing embedded HTML or JavaScript code in the Group-Office file storage or database. A practical approach is to search for filenames with suspicious patterns such as <script> tags or event handlers like 'onerror'. For example, you can run commands to find such filenames in the file storage or database exports. Example commands include: 1) Using grep to find suspicious filenames in file storage directories: grep -r -i -E '<script|onerror|javascript:' /path/to/groupoffice/files 2) Querying the database for filenames containing suspicious patterns (SQL example): SELECT filename FROM files WHERE filename LIKE '%<script%' OR filename LIKE '%onerror%' OR filename LIKE '%javascript:%'; These commands help identify potentially malicious filenames that could trigger the stored XSS vulnerability when viewed in the application. [3]

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade Group-Office to a fixed version: at least version 6.8.149 or 25.0.80, where the vulnerability is patched. 2) Apply the patch that sanitizes filenames and file extensions using htmlspecialchars() to neutralize any embedded HTML or JavaScript before rendering. 3) As a temporary measure, avoid opening or interacting with files that have suspicious filenames until the patch or upgrade is applied. 4) Review and sanitize existing filenames in the database or file storage to remove or rename any maliciously crafted filenames. These steps will prevent execution of stored XSS payloads embedded in filenames and protect users from session compromise or unauthorized browser actions. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart