Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.
AnalysisAI
Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.
Technical ContextAI
GROWI is an open-source team wiki and knowledge base platform built on Node.js. This vulnerability affects the EJS (Embedded JavaScript) template rendering engine integration within GROWI's email functionality. CWE-22 path traversal occurs when user-controlled input is insufficiently validated before being used in file system operations. In this case, an authenticated administrator can manipulate file paths to traverse directories and reference arbitrary EJS template files on the server filesystem. When GROWI's email server component processes these malicious paths, it renders the attacker-specified templates, allowing execution of embedded JavaScript code server-side. The affected product per CPE is cpe:2.3:a:growi,_inc.:growi:*:*:*:*:*:*:*:* covering all versions through 7.5.0.
RemediationAI
Upgrade GROWI to version 7.5.1 or later, which addresses the path traversal vulnerability in EJS template handling per vendor advisory at https://growi.co.jp/news/44/. Organizations unable to immediately patch should implement compensating controls: disable email server functionality in GROWI configuration if not business-critical, restrict GROWI administrative access to only essential personnel with verified credentials, implement file system access controls to limit template directory traversal, and monitor authentication logs for suspicious admin activity. Note that disabling email functionality eliminates the attack vector entirely but removes notification capabilities. Network segmentation does not mitigate this issue as it requires authenticated access already presumed to have network connectivity.
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf
Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen
Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust serv
Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r
Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1
Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec
In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv
Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29047
GHSA-x9j3-g3hc-fc94