{"id":"CVE-2026-30237","summary":"Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)","details":"Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a \u003ctextarea\u003e, allowing a \u003c/textarea\u003e\u003cscript\u003e...\u003c/script\u003e breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.","aliases":["GHSA-hchr-32xh-x5rx"],"modified":"2026-04-10T05:41:48.843709Z","published":"2026-03-06T21:13:33.925Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30237.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30237.json"},{"type":"ADVISORY","url":"https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30237"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/intermesh/groupoffice","events":[{"introduced":"0"},{"fixed":"5bdc0a93c188daadc11a273238653cef3ba75586"}]}],"versions":["v6.3.1","v6.3.10","v6.3.11","v6.3.12","v6.3.14","v6.3.3","v6.3.4","v6.3.5","v6.3.6","v6.3.7","v6.3.8","v6.4.23","v6.4.25","v6.4.26","v6.4.27","v6.4.28","v6.4.29","v6.4.30","v6.4.31","v6.4.32","v6.4.33","v6.4.34","v6.4.35","v6.4.36","v6.4.37","v6.4.38","v6.4.39","v6.4.40","v6.4.41","v6.4.42","v6.4.43","v6.4.44","v6.4.49","v6.4.50","v6.4.51","v6.5.30","v6.5.31","v6.5.32","v6.5.33","v6.5.34","v6.5.35","v6.5.36","v6.5.37","v6.5.38","v6.5.39","v6.5.41","v6.5.42","v6.5.43","v6.5.44","v6.5.45","v6.5.46","v6.5.47","v6.5.48","v6.5.49","v6.5.50","v6.5.51","v6.5.52","v6.5.53","v6.5.54","v6.5.55","v6.5.56","v6.5.57","v6.5.58","v6.5.59","v6.5.60","v6.5.61","v6.5.62","v6.5.63","v6.5.64","v6.5.65","v6.5.66","v6.5.67","v6.5.68","v6.5.69","v6.5.70","v6.5.71","v6.5.72","v6.5.73","v6.5.74","v6.5.75","v6.5.76","v6.5.77","v6.5.78","v6.5.79","v6.5.80","v6.5.81","v6.5.82","v6.5.84","v6.5.85","v6.5.86","v6.5.88","v6.5.89","v6.5.90","v6.5.91","v6.5.92","v6.5.93","v6.5.95","v6.5.96","v6.6.100","v6.6.102","v6.6.103","v6.6.104","v6.6.105","v6.6.106","v6.6.107","v6.6.110","v6.6.117","v6.6.118","v6.6.119","v6.6.124","v6.6.125","v6.6.126","v6.6.127","v6.6.128","v6.6.129","v6.6.130","v6.6.131","v6.6.132","v6.6.133","v6.6.134","v6.6.135","v6.6.136","v6.6.137","v6.6.138","v6.6.139","v6.6.140","v6.6.141","v6.6.143","v6.6.27","v6.6.28","v6.6.29","v6.6.30","v6.6.31","v6.6.32","v6.6.33","v6.6.34","v6.6.35","v6.6.36","v6.6.37","v6.6.38","v6.6.39","v6.6.40","v6.6.41","v6.6.42","v6.6.43","v6.6.44","v6.6.45","v6.6.46","v6.6.47","v6.6.48","v6.6.49","v6.6.50","v6.6.51","v6.6.52","v6.6.53","v6.6.54","v6.6.55","v6.6.56","v6.6.57","v6.6.58","v6.6.59","v6.6.60","v6.6.61","v6.6.62","v6.6.63","v6.6.64","v6.6.65","v6.6.66","v6.6.67","v6.6.68","v6.6.69","v6.6.70","v6.6.71","v6.6.72","v6.6.81","v6.6.82","v6.6.83","v6.6.84","v6.6.85","v6.6.86","v6.6.87","v6.6.88","v6.6.89","v6.6.90","v6.6.91","v6.6.92","v6.6.93","v6.6.94","v6.6.95","v6.6.96","v6.6.97","v6.6.98","v6.6.99","v6.7.10","v6.7.11","v6.7.12","v6.7.13","v6.7.14","v6.7.15","v6.7.17","v6.7.19","v6.7.20","v6.7.22","v6.7.24","v6.7.25","v6.7.26","v6.7.27","v6.7.28","v6.7.29","v6.7.30","v6.7.31","v6.7.32","v6.7.33","v6.7.35","v6.7.36","v6.7.37","v6.7.38","v6.7.39","v6.7.40","v6.7.41","v6.7.42","v6.7.43","v6.7.44","v6.7.8","v6.7.9","v6.8.10","v6.8.100","v6.8.101","v6.8.102","v6.8.107","v6.8.11","v6.8.114","v6.8.116","v6.8.117","v6.8.118","v6.8.12","v6.8.120","v6.8.121","v6.8.122","v6.8.123","v6.8.124","v6.8.125","v6.8.126","v6.8.127","v6.8.128","v6.8.129","v6.8.130","v6.8.131","v6.8.132","v6.8.133","v6.8.134","v6.8.135","v6.8.139","v6.8.14","v6.8.141","v6.8.142","v6.8.146","v6.8.147","v6.8.15","v6.8.150","v6.8.151","v6.8.152","v6.8.153","v6.8.154","v6.8.16","v6.8.17","v6.8.18","v6.8.19","v6.8.21","v6.8.23","v6.8.24","v6.8.25","v6.8.26","v6.8.28","v6.8.29","v6.8.30","v6.8.31","v6.8.32","v6.8.33","v6.8.34","v6.8.35","v6.8.37","v6.8.38","v6.8.39","v6.8.40","v6.8.41","v6.8.42","v6.8.43","v6.8.44","v6.8.45","v6.8.47","v6.8.49","v6.8.50","v6.8.54","v6.8.56","v6.8.57","v6.8.58","v6.8.59","v6.8.6","v6.8.60","v6.8.61","v6.8.62","v6.8.63","v6.8.64","v6.8.66","v6.8.69","v6.8.7","v6.8.70","v6.8.73","v6.8.76","v6.8.77","v6.8.79","v6.8.83","v6.8.84","v6.8.85","v6.8.87","v6.8.88","v6.8.9","v6.8.90","v6.8.93","v6.8.94","v6.8.95","v6.8.96","v6.8.97","v6.8.98"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30237.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}