PT-2026-29881 · Unknown · Group-Office
Aarjubh
·
Published
2026-04-02
·
Updated
2026-04-06
·
CVE-2026-34838
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Group-Office versions prior to 6.8.156, prior to 25.0.90, and prior to 26.0.12
Description
Group-Office is an enterprise customer relationship management and groupware tool. A flaw in the AbstractSettingsCollection model allows for insecure deserialization when loading settings. An authenticated attacker can inject a serialized FileCookieJar object into a setting string, leading to Arbitrary File Write and ultimately Remote Code Execution (RCE) on the server. The vulnerability is triggered through the deserialization of a FileCookieJar object. The
AbstractSettingsCollection model is the component affected.Recommendations
Update to version 6.8.156 or later.
Update to version 25.0.90 or later.
Update to version 26.0.12 or later.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Group-Office