CVE-2026-41951
Path Traversal in GROWI Leading to Arbitrary EJS Template Execution
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| growi | growi | to 7.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue found in GROWI version 7.5.0 and earlier. It allows an attacker to execute arbitrary EJS templates on the server, but only when an email server is configured in GROWI.
By exploiting this vulnerability, an attacker can run malicious code, including arbitrary OS commands, potentially leading to service disruption or unauthorized access.
How can this vulnerability impact me? :
Exploiting this vulnerability can have serious impacts including unauthorized execution of OS commands, code execution, and service interruption.
- Attackers can execute crafted EJS templates to run arbitrary OS commands.
- Attackers may steal sensitive files such as configuration files and private keys by abusing administrator sessions.
- It can lead to installation of backdoors and stopping of services.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade GROWI to version 7.5.1 or later, as this version contains the fix for the path traversal vulnerability.
This vulnerability affects GROWI v7.5.0 and earlier versions when an email server is configured, allowing attackers to execute arbitrary EJS templates and potentially execute OS commands or stop services.
Updating to the fixed version is the recommended and most effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary code and potentially access sensitive files such as configuration files and secret keys. This unauthorized access and potential data breach could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.
Specifically, the risk of confidential data exposure and system compromise may violate requirements for data confidentiality, integrity, and availability mandated by these standards.
Mitigating this vulnerability by updating to GROWI v7.5.1 or later is essential to maintain compliance and reduce the risk of regulatory penalties.