CVE-2026-27947
Received
Received - Intake
Authenticated Remote Code Execution in Group-Office TNEF Processing
Vulnerability report for CVE-2026-27947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-27
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intermesh | group-office | to 6.8.154 (exc) |
| intermesh | group-office | From 25.0.1 (inc) to 25.0.87 (exc) |
| intermesh | group-office | From 26.0.1 (inc) to 26.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |