CVE-2026-23887 is a stored Cross-Site Scripting (XSS) vulnerability affecting Intermesh Group-Office, an enterprise CRM and groupware platform. The vulnerability exists in versions below 6.8.149 and between 25.0.1 and 25.0.79 due to improper neutralization of input during web page generation (CWE-79). Specifically, the application stores filenames without sanitizing or encoding them before rendering in the web interface. When a user views these maliciously crafted filenames, embedded scripts execute in the context of the victim's browser session. This can lead to session hijacking, unauthorized actions, or theft of sensitive information accessible through the user's session. The vulnerability requires no authentication to exploit but does require user interaction (viewing the file list). The scope is limited to the file-viewing context within the Group-Office application, reducing the attack surface but still posing a meaningful risk. The issue is resolved in versions 6.8.149 and 25.0.80 by properly sanitizing filenames before display. No known exploits are currently reported in the wild, but the vulnerability's presence in widely used versions necessitates prompt patching.

For European organizations using Group-Office, this vulnerability could allow attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking, unauthorized data access, or manipulation of user actions within the application. Given Group-Office's role in managing customer relationships and internal collaboration, exploitation could compromise sensitive business data and disrupt workflows. The medium severity rating reflects that while the vulnerability requires user interaction and is limited to the file-viewing context, successful exploitation can still undermine confidentiality and integrity of user sessions. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks if such vulnerabilities are exploited. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if attackers gain persistent access through compromised sessions.

European organizations should immediately upgrade Group-Office installations to versions 6.8.149 or 25.0.80 or later to apply the official fix. Until patching is complete, administrators should restrict file upload permissions to trusted users only and monitor file names for suspicious or unexpected characters that could indicate exploitation attempts. Implementing Web Application Firewalls (WAF) with rules to detect and block XSS payloads in HTTP requests can provide an additional layer of defense. User awareness training should emphasize caution when interacting with unexpected or unusual filenames in the application. Regular security audits and code reviews of custom integrations with Group-Office can help identify similar input validation issues. Finally, organizations should ensure session management controls are robust to limit the impact of any session hijacking attempts.