Skip to main content

Growi

43 CVEs product

Monthly

CVE-2026-41951 HIGH This Week

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.

Path Traversal Growi
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-41040 HIGH This Week

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.

Denial Of Service Growi
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-26291 MEDIUM This Month

Stored cross-site scripting in GROWI v7.4.6 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, compromising confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a link or viewing affected content) and authenticated access, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active KEV confirmation is indicated in available data.

XSS Growi
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-25083 HIGH This Week

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI assistant's identifier to read or modify other users' OpenAI thread and message contents via API endpoints that omit authorization checks. The flaw stems from missing access control (CWE-862) on the AI assistant interaction layer rather than a memory-corruption or injection bug. No public exploit identified at time of analysis, and EPSS rates near-term exploitation probability at 0.04% (12th percentile).

Authentication Bypass Growi
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2023-50339 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-50332 MEDIUM This Month

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-50294 MEDIUM This Month

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-50175 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-49807 MEDIUM This Month

Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-49779 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-49598 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-49119 MEDIUM This Month

Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-47215 MEDIUM This Month

Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-46699 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Growi
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2023-45740 MEDIUM This Month

Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-45737 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-42436 MEDIUM This Month

Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-41799 MEDIUM This Month

Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-1236 MEDIUM PATCH This Month

Weak Password Requirements in GitHub repository weseek/growi prior to v5.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Brute Force Information Disclosure Growi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-20829 MEDIUM This Month

Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-20737 MEDIUM This Month

Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-20736 CRITICAL Act Now

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Growi
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-20673 MEDIUM This Month

Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
4.8
EPSS
0.8%
CVE-2021-20672 MEDIUM This Month

Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20671 HIGH This Week

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Growi
NVD
CVSS 3.1
7.2
EPSS
1.8%
CVE-2021-20670 HIGH This Week

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-20669 MEDIUM This Month

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD
CVSS 3.1
4.7
EPSS
0.8%
CVE-2021-20668 LOW Monitor

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD
CVSS 3.1
2.7
EPSS
0.8%
CVE-2021-20667 MEDIUM This Month

Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-20619 MEDIUM This Month

Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-5683 HIGH This Week

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD GitHub
CVSS 3.1
7.5
EPSS
3.0%
CVE-2020-5682 HIGH This Week

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series),. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Growi
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-5678 MEDIUM This Month

Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2020-5677 MEDIUM This Month

Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2020-5676 HIGH This Week

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2019-13338 HIGH This Week

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
CVSS 3.0
7.5
EPSS
1.8%
CVE-2019-13337 HIGH This Week

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2019-5969 MEDIUM This Month

Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Growi
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2019-5968 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Growi
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-0655 MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.0
4.8
EPSS
0.7%
CVE-2018-0654 MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-0653 MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-0652 MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
CVSS 3.0
4.8
EPSS
0.7%
EPSS 0% CVSS 8.6
HIGH This Week

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates on the server when an email server is configured. The vulnerability enables template injection through directory traversal, potentially leading to remote code execution. Exploitation requires high privileges (administrator role) and a specific deployment configuration with email server functionality enabled. No active exploitation confirmed in CISA KEV, but CVSS 8.6 reflects the severity of arbitrary code execution impact once prerequisites are met.

Path Traversal Growi
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.

Denial Of Service Growi
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in GROWI v7.4.6 and earlier allows authenticated users to inject malicious scripts that execute in other users' browsers, compromising confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a link or viewing affected content) and authenticated access, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active KEV confirmation is indicated in available data.

XSS Growi
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI assistant's identifier to read or modify other users' OpenAI thread and message contents via API endpoints that omit authorization checks. The flaw stems from missing access control (CWE-862) on the AI assistant interaction layer rather than a memory-corruption or injection bug. No public exploit identified at time of analysis, and EPSS rates near-term exploitation probability at 0.04% (12th percentile).

Authentication Bypass Growi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Weak Password Requirements in GitHub repository weseek/growi prior to v5.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Brute Force Information Disclosure Growi
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Growi
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting vulnerability in Admin Page of GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote authenticated attackers to inject an arbitrary script via unspecified. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters in GROWI (v4.2 Series) versions from v4.2.0 to v4.2.7 allows remote attackers to inject an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Growi
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD
EPSS 1% CVSS 2.7
LOW Monitor

Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
EPSS 3% CVSS 7.5
HIGH This Week

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Growi
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series),. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Growi
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting vulnerability in GROWI v3.8.1 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting vulnerability in GROWI v4.0.0 and earlier allows remote attackers to inject arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Growi
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Growi
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Growi
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Growi
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the app settings section of admin page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the modal for creating Wiki page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote attackers to inject arbitrary web script or HTML via Wiki page view. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Growi
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via the UserGroup Management section of admin page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Growi
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy