CVE-2026-26291 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in GROWI, a popular open-source wiki platform used for documentation and knowledge management. This vulnerability affects GROWI versions 7.4.6 and earlier, allowing attackers to inject malicious scripts that persist in the application and execute in victims' browsers when they access compromised content.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in authenticated users' browsers, potentially leading to session hijacking, credential theft, defacement of wiki content, or further attacks against other users of the GROWI platform.
Affected Products
- GROWI v7.4.6 and earlier versions
- All GROWI v7.x installations prior to security patch
Discovery Timeline
- 2026-04-15 - CVE-2026-26291 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-26291
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) in GROWI allows authenticated users to inject malicious script content that gets permanently stored in the application's database. Unlike reflected XSS attacks that require victims to click specially crafted links, stored XSS payloads persist within the application and automatically execute whenever other users view the infected content.
The vulnerability requires low privileges to exploit, meaning any authenticated user with content creation or editing capabilities can potentially inject malicious scripts. The attack operates over the network and requires user interaction—specifically, a victim must navigate to a page containing the stored malicious payload. When successfully exploited, the vulnerability impacts the confidentiality and integrity of data within the user's browser session on the GROWI platform.
Root Cause
The root cause of CVE-2026-26291 lies in insufficient input sanitization and output encoding within GROWI's content handling mechanisms. When user-supplied input is stored without proper validation and later rendered in web pages without adequate encoding, browsers interpret embedded script tags or JavaScript event handlers as executable code rather than harmless text. This class of vulnerability typically occurs when:
- User input containing HTML/JavaScript is accepted without filtering dangerous characters or patterns
- Stored content is rendered directly into HTML responses without proper contextual output encoding
- Content Security Policy (CSP) headers are missing or improperly configured
Attack Vector
The attack vector for this stored XSS vulnerability involves an authenticated attacker creating or modifying content within GROWI to include malicious JavaScript. Wiki platforms like GROWI often support rich formatting, which can provide multiple injection points including page content, comments, page titles, or user profile fields.
Once the malicious content is stored, any user who subsequently views the affected page will have the injected script execute in their browser context. This can be leveraged to steal session cookies, capture keystrokes, redirect users to phishing pages, modify displayed content, or perform actions on behalf of the victim user.
The vulnerability mechanism involves injecting script payloads into GROWI content fields. For detailed technical information regarding the specific injection points and affected components, refer to the JVN Security Advisory JVN62079296 and the GROWI Security Update.
Detection Methods for CVE-2026-26291
Indicators of Compromise
- Presence of unexpected <script> tags, JavaScript event handlers (e.g., onerror, onload, onclick), or javascript: URI schemes in stored wiki content
- Unusual outbound network connections from client browsers to unknown external domains when viewing GROWI pages
- Reports from users experiencing unexpected browser behavior, redirects, or pop-ups while using GROWI
- Audit logs showing content modifications with suspicious HTML or JavaScript patterns
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in requests to GROWI
- Deploy browser-based security monitoring to identify anomalous script execution on GROWI pages
- Perform regular automated scanning of stored content for known XSS patterns and suspicious code fragments
- Review application access logs for patterns indicating reconnaissance or exploitation attempts
Monitoring Recommendations
- Enable detailed audit logging for all content creation and modification activities in GROWI
- Configure alerting for Content Security Policy (CSP) violation reports if CSP is deployed
- Monitor for unusual patterns in user session activity that may indicate session hijacking
- Implement periodic security scans against GROWI deployments to identify new vulnerabilities
How to Mitigate CVE-2026-26291
Immediate Actions Required
- Upgrade GROWI to the latest patched version as specified in the vendor security advisory
- Review existing wiki content for signs of malicious script injection and sanitize affected pages
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Limit user permissions where possible to reduce the attack surface for content injection
Patch Information
GROWI has released security updates to address this vulnerability. Organizations should consult the GROWI Security Update for specific patch information and upgrade instructions. The JVN Security Advisory JVN62079296 provides additional details about the vulnerability and remediation guidance.
Workarounds
- Deploy a Web Application Firewall (WAF) configured with XSS detection rules to filter malicious input
- Implement strict Content Security Policy headers to prevent inline script execution: Content-Security-Policy: default-src 'self'; script-src 'self'
- Restrict content creation and editing permissions to trusted users only
- Consider placing GROWI behind network access controls to limit exposure while awaiting patching
# Example: Add Content Security Policy header in nginx configuration
# Add to your GROWI nginx server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
