CVE-2026-26291
Stored XSS in GROWI β€ v7.4.6 Allows Script Execution
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| growi | growi | to 7.4.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26291 is a stored cross-site scripting (XSS) vulnerability found in GROWI versions 7.4.6 and earlier.
This vulnerability exists in the file upload feature, where attackers can upload specially crafted HTML files that execute arbitrary scripts in the browsers of users who access those files.
When exploited, this allows an attacker to run malicious scripts in a user's web browser, potentially redirecting logged-in users to phishing sites or executing other harmful content.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary script execution in the browsers of users accessing the affected GROWI system.
This can result in users being redirected to phishing sites or having malicious content executed in their browsers.
Although direct impacts such as cookie theft from the GROWI domain are limited when files are served from external domains, the risk of session compromise or user data exposure remains.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability exists in GROWI versions 7.4.6 and earlier, specifically in the file upload feature where crafted HTML files can be uploaded to execute arbitrary scripts in users' browsers.
Detection would involve identifying if your system is running a vulnerable version of GROWI (7.4.6 or earlier) and monitoring for suspicious file uploads or unexpected HTML files being served.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update GROWI to version 7.4.7 or later.
Version 7.4.7 introduces controls over the Content-Disposition header, forcing files with MIME types not approved by administrators to be downloaded as attachments, which prevents script execution in browsers.
Additionally, review and restrict file upload permissions and monitor for any suspicious file uploads until the update is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored cross-site scripting (XSS) vulnerability in GROWI affects compliance with common standards and regulations such as GDPR or HIPAA.