Skip to main content

GROWI CVE-2026-41951

| EUVDEUVD-2026-29047 HIGH
Path Traversal (CWE-22)
2026-05-11 jpcert GHSA-x9j3-g3hc-fc94
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 11, 2026 - 10:31 vuln.today
CVSS changed
May 11, 2026 - 10:22 NVD
7.2 (HIGH) 8.6 (HIGH)
CVE Published
May 11, 2026 - 09:32 nvd
HIGH 8.6

DescriptionCVE.org

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.

AnalysisAI

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.

Technical ContextAI

GROWI is an open-source team wiki and knowledge base platform built on Node.js. This vulnerability affects the EJS (Embedded JavaScript) template rendering engine integration within GROWI's email functionality. CWE-22 path traversal occurs when user-controlled input is insufficiently validated before being used in file system operations. In this case, an authenticated administrator can manipulate file paths to traverse directories and reference arbitrary EJS template files on the server filesystem. When GROWI's email server component processes these malicious paths, it renders the attacker-specified templates, allowing execution of embedded JavaScript code server-side. The affected product per CPE is cpe:2.3:a:growi,_inc.:growi:*:*:*:*:*:*:*:* covering all versions through 7.5.0.

RemediationAI

Upgrade GROWI to version 7.5.1 or later, which addresses the path traversal vulnerability in EJS template handling per vendor advisory at https://growi.co.jp/news/44/. Organizations unable to immediately patch should implement compensating controls: disable email server functionality in GROWI configuration if not business-critical, restrict GROWI administrative access to only essential personnel with verified credentials, implement file system access controls to limit template directory traversal, and monitor authentication logs for suspicious admin activity. Note that disabling email functionality eliminates the attack vector entirely but removes notification capabilities. Network segmentation does not mitigate this issue as it requires authenticated access already presumed to have network connectivity.

More in Growi

View all
CVE-2021-20736 CRITICAL
9.1 Jun 22

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf

CVE-2019-5968 HIGH
8.8 Jul 05

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen

CVE-2026-41040 HIGH
8.7 Apr 23

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust serv

CVE-2026-25083 HIGH
8.7 Mar 16

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI

CVE-2021-20670 HIGH
7.5 Mar 10

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r

CVE-2020-5683 HIGH
7.5 Dec 16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1

CVE-2020-5682 HIGH
7.5 Dec 16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)

CVE-2020-5676 HIGH
7.5 Dec 03

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec

CVE-2019-13338 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki

CVE-2019-13337 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token

CVE-2021-20671 HIGH
7.2 Mar 10

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv

CVE-2023-50332 MEDIUM
6.5 Dec 26

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6

Share

CVE-2026-41951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy