What is the CVSS score of CVE-2026-23887?

CVE-2026-23887 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Group Office are affected by CVE-2026-23887?

Organizations using Group-Office should be aware of moderate risk from CVE-2026-23887, a input validation vulnerability rated CVSS 5.4.. A patch is available.

Is there a public PoC exploit available for CVE-2026-23887?

Yes, a public proof-of-concept exploit is available for CVE-2026-23887. Prioritise patching immediately. EPSS: 0.1%.

Group Office CVE-2026-23887

MEDIUM

Improper Input Validation (CWE-20)

2026-01-22 security-advisories@github.com

XSS Group Office

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 15:03 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 15:03 nvd

Patch available

CVE Published

Jan 22, 2026 - 00:15 nvd

MEDIUM 5.4

DescriptionNVD

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80.

AnalysisAI

Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that execute when other users view affected files, potentially compromising sessions or triggering unintended browser actions. The vulnerability affects versions 6.8.148 and below, and 25.0.1 through 25.0.79, with public exploit code available. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-23887 vulnerability details – vuln.today

Back