Skip to main content

Group Office CVE-2026-25512

HIGH
OS Command Injection (CWE-78)
2026-02-04 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 11, 2026 - 19:15 vuln.today
Public exploit code
Patch released
Feb 11, 2026 - 19:15 nvd
Patch available
CVE Published
Feb 04, 2026 - 21:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

AnalysisAI

Authenticated attackers can execute arbitrary commands on Group-Office servers through unsanitized user input in the email attachment endpoint, where shell metacharacters are directly passed to system execution functions. The vulnerability affects Group-Office versions prior to 6.8.150, 25.0.82, and 26.0.5, and public exploit code exists. Organizations should apply available patches immediately as this is actively exploitable by authenticated users.

Technical ContextAI

Classified as CWE-78 (OS Command Injection). Affects the Group-Office. The component of Group Office. Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in vers

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2026-25134 HIGH POC
8.8 Feb 02

Remote code execution in Group Office versions prior to 6.8.150, 25.0.82, and 26.0.5 allows authenticated attackers to e

CVE-2023-46730 HIGH POC
8.8 Nov 07

Group-Office is an enterprise CRM and groupware tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2025-25191 MEDIUM POC
6.9 Mar 06

Group-Office is an enterprise CRM and groupware tool. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2023-25292 MEDIUM POC
6.1 Apr 27

Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated pr

CVE-2026-30238 MEDIUM POC
6.1 Mar 06

Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attac

CVE-2026-30237 MEDIUM POC
6.1 Mar 06

Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthent

CVE-2025-48368 MEDIUM POC
5.8 May 22

Group-Office is an enterprise customer relationship management and groupware tool. Rated medium severity (CVSS 5.8), thi

CVE-2026-23887 MEDIUM POC
5.4 Jan 22

Stored XSS in Group-Office through unsanitized filenames allows authenticated users to inject malicious scripts that exe

CVE-2024-22418 MEDIUM POC
5.4 Jan 18

Group-Office is an enterprise CRM and groupware tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely e

CVE-2021-28060 MEDIUM POC
5.3 Apr 14

A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET request

CVE-2026-25511 MEDIUM POC
4.9 Feb 04

Server-side request forgery in Group Office's WOPI service discovery allows authenticated System Administrators to acces

CVE-2026-27947 HIGH
8.8 Feb 27

Group Office versions before 26.0.9, 25.0.87, and 6.8.154 allow authenticated attackers to execute arbitrary commands th

Share

CVE-2026-25512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy