CVE-2026-45551: Group-Office Stored XSS Vulnerability

CVE-2026-45551 Overview

CVE-2026-45551 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Group-Office, an enterprise customer relationship management and groupware platform. The flaw allows any authenticated low-privileged user to persist arbitrary legacy settings for any user_id through the index.php?r=core/saveSetting endpoint. A client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. Attackers chain these two issues to overwrite an administrator's setting with a JavaScript payload, triggering stored XSS in the administrator's browser when views/Extjs3/modulescripts.php loads. The vulnerability is fixed in versions 26.0.25, 25.0.100, and 6.8.165.

Critical Impact
Authenticated low-privileged users can execute arbitrary JavaScript in administrator browsers, leading to session hijacking, privilege escalation, and full administrative compromise.

Affected Products

Group-Office versions prior to 26.0.25
Group-Office versions prior to 25.0.100
Group-Office versions prior to 6.8.165

Discovery Timeline

2026-05-29 - CVE-2026-45551 published to NVD
2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-45551

Vulnerability Analysis

The vulnerability stems from two distinct weaknesses that combine into a stored XSS attack chain. The first weakness lies in the core/saveSetting action exposed through index.php. This endpoint accepts a user_id parameter without verifying that the requesting user owns or has permission to modify that account's settings. Any authenticated user can write arbitrary legacy setting values to any other user's profile, including administrators.

The second weakness exists in the email module's client-side rendering logic. The application loads views/Extjs3/modulescripts.php to bootstrap the email interface and embeds the stored email_font_size value directly into JavaScript output. The value receives no HTML or JavaScript escaping before insertion, breaking the trust boundary between persisted user data and executable script context.

Root Cause

The root cause is a combination of broken access control on the settings persistence endpoint and unsafe output rendering in a client-side script sink. Neither layer alone would be exploitable for cross-user XSS, but together they enable a low-privileged attacker to inject script that executes in another user's authenticated session.

Attack Vector

An authenticated attacker submits a crafted POST request to index.php?r=core/saveSetting specifying the target administrator's user_id and a malicious JavaScript payload as the value of email_font_size. When the administrator next loads the GroupOffice web client, the email module fetches views/Extjs3/modulescripts.php, which writes the payload into the page's JavaScript context. The browser executes the payload under the administrator's origin and session, granting the attacker access to administrative functions and session tokens. Refer to the GitHub Security Advisory for additional technical context.

Detection Methods for CVE-2026-45551

Indicators of Compromise

POST requests to index.php?r=core/saveSetting where the supplied user_id does not match the session user identifier
Stored values for email_font_size containing HTML tags, <script> fragments, quote characters, or JavaScript syntax such as onerror, javascript:, or eval(
Outbound HTTP requests from administrator browsers to unfamiliar domains shortly after loading the GroupOffice email interface
Unexpected administrative actions originating from valid admin sessions without corresponding interactive UI activity

Detection Strategies

Inspect web server and application logs for core/saveSetting requests and correlate the authenticated session user with the user_id parameter value
Run database queries against the legacy settings table to identify email_font_size values that are not numeric or unit strings
Monitor browser-side errors and content security policy violations triggered when loading views/Extjs3/modulescripts.php

Monitoring Recommendations

Enable verbose audit logging for all setting modification endpoints in GroupOffice
Alert on any non-numeric content stored in font size or other style-related settings fields
Track administrative account activity for session reuse from new IP addresses or user agents following email module access

How to Mitigate CVE-2026-45551

Immediate Actions Required

Upgrade Group-Office to version 26.0.25, 25.0.100, or 6.8.165 depending on the deployed branch
Audit the legacy settings store for email_font_size and related entries containing script-like content and remove them
Force a password reset and session invalidation for administrator accounts that loaded the email module before patching

Patch Information

Intermesh fixed the vulnerability in Group-Office releases 26.0.25, 25.0.100, and 6.8.165. The patch is documented in the GitHub Security Advisory GHSA-9w92-p32g-g99p. Administrators should apply the update for their installed major version branch and verify that the upgrade reaches all application nodes.

Workarounds

Restrict network access to the GroupOffice administrative interface using IP allow lists until patching is complete
Deploy a web application firewall rule that blocks core/saveSetting requests where the user_id parameter does not match the authenticated session
Apply a strict Content Security Policy that disallows inline script execution to reduce the impact of stored payloads

bash

# Example WAF rule concept blocking cross-user setting writes
# Pseudocode for ModSecurity-like syntax
SecRule REQUEST_URI "@contains r=core/saveSetting" \
    "chain,deny,status:403,id:1004551,msg:'GroupOffice cross-user setting write'"
    SecRule ARGS:user_id "!@streq %{SESSION.user_id}"