CVE-2026-30238

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.155 Group-Office versions prior to 25.0.88 Group-Office versions prior to 26.0.10

Description Group-Office is a customer relationship management and groupware tool. A reflected cross-site scripting (XSS) issue exists in the external/index flow. The f parameter, which contains Base64 encoded JSON data, is decoded and injected into an inline JavaScript block without proper sanitization. This allows for the injection of <script> tags and the execution of arbitrary JavaScript code in a user's browser. The vulnerable parameter is f.

Recommendations Update Group-Office to version 6.8.155 or later. Update Group-Office to version 25.0.88 or later. Update Group-Office to version 26.0.10 or later.