CVE-2026-26291
Deferred Deferred - Pending Action
Stored XSS in GROWI ≀ v7.4.6 Allows Script Execution

Publication date: 2026-04-15

Last updated on: 2026-05-19

Assigner: JPCERT/CC

Description
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26291
EUVD
EUVD-2026-22834
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
growi growi to 7.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the stored cross-site scripting (XSS) vulnerability in GROWI affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-26291 is a stored cross-site scripting (XSS) vulnerability found in GROWI versions 7.4.6 and earlier.

This vulnerability exists in the file upload feature, where attackers can upload specially crafted HTML files that execute arbitrary scripts in the browsers of users who access those files.

When exploited, this allows an attacker to run malicious scripts in a user's web browser, potentially redirecting logged-in users to phishing sites or executing other harmful content.

Impact Analysis

If exploited, this vulnerability can lead to arbitrary script execution in the browsers of users accessing the affected GROWI system.

This can result in users being redirected to phishing sites or having malicious content executed in their browsers.

Although direct impacts such as cookie theft from the GROWI domain are limited when files are served from external domains, the risk of session compromise or user data exposure remains.

Detection Guidance

The vulnerability exists in GROWI versions 7.4.6 and earlier, specifically in the file upload feature where crafted HTML files can be uploaded to execute arbitrary scripts in users' browsers.

Detection would involve identifying if your system is running a vulnerable version of GROWI (7.4.6 or earlier) and monitoring for suspicious file uploads or unexpected HTML files being served.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The immediate and recommended mitigation step is to update GROWI to version 7.4.7 or later.

Version 7.4.7 introduces controls over the Content-Disposition header, forcing files with MIME types not approved by administrators to be downloaded as attachments, which prevents script execution in browsers.

Additionally, review and restrict file upload permissions and monitor for any suspicious file uploads until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart