Skip to main content

Growi CVE-2026-26291

| EUVDEUVD-2026-22834 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-15 jpcert GHSA-w2qc-5jvx-3g3v
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 17, 2026 - 15:52 NVD
5.4 (MEDIUM) 4.8 (MEDIUM)
Analysis Generated
Apr 15, 2026 - 05:07 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 05:00 euvd
EUVD-2026-22834
Analysis Generated
Apr 15, 2026 - 05:00 vuln.today
CVE Published
Apr 15, 2026 - 04:19 nvd
MEDIUM 4.8

DescriptionCVE.org

Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.

AnalysisAI

Stored cross-site scripting in GROWI v7.4.6 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, compromising confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a link or viewing affected content) and authenticated access, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active KEV confirmation is indicated in available data.

Technical ContextAI

GROWI is a wiki and knowledge management platform written in Node.js. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which indicates insufficient input sanitization or output encoding in the web application. Stored XSS occurs when user-supplied data is persisted in a backend storage system (database or file) and subsequently rendered in HTML context without proper escaping, allowing injected JavaScript to execute with the privileges of authenticated session holders. The affected product is identified by CPE cpe:2.3:a:growi,_inc.:growi:*:*:*:*:*:*:*:*, indicating all versions up to and including 7.4.6 are in scope.

RemediationAI

Users should upgrade GROWI to a patched version released after v7.4.6; consult the GROWI release notes at https://growi.co.jp/news/43/ to confirm the exact fix version available. As a preventive control pending patching, administrators should restrict access to GROWI to trusted users and monitor for suspicious content creation or modification, particularly in publicly visible pages. Ensure that GROWI is deployed behind authentication controls and consider implementing a Web Application Firewall (WAF) with XSS filtering rules to detect and block common injection patterns.

More in Growi

View all
CVE-2021-20736 CRITICAL
9.1 Jun 22

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf

CVE-2019-5968 HIGH
8.8 Jul 05

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen

CVE-2026-41040 HIGH
8.7 Apr 23

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust serv

CVE-2026-25083 HIGH
8.7 Mar 16

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI

CVE-2026-41951 HIGH
8.6 May 11

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates

CVE-2021-20670 HIGH
7.5 Mar 10

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r

CVE-2020-5683 HIGH
7.5 Dec 16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1

CVE-2020-5682 HIGH
7.5 Dec 16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)

CVE-2020-5676 HIGH
7.5 Dec 03

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec

CVE-2019-13338 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki

CVE-2019-13337 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token

CVE-2021-20671 HIGH
7.2 Mar 10

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv

Share

CVE-2026-26291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy