CVE-2026-23887 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Intermesh Group-Office enterprise CRM and groupware application. The flaw exists in versions prior to 6.8.149 and from 25.0.1 up to 25.0.79, where the application fails to properly sanitize filenames before storing them in the database. When users access or interact with these maliciously crafted filenames within the Group-Office interface, the embedded scripts can execute in their browsers. This improper neutralization of input during web page generation (CWE-79) allows attackers to inject arbitrary JavaScript code, potentially leading to session hijacking, unauthorized actions, or other malicious behaviors within the user's browser context. The vulnerability is constrained to the file-viewing context, limiting its scope but still posing a significant risk to user confidentiality and integrity. Exploitation does not require authentication but does require user interaction (viewing the malicious filename). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and low impact on confidentiality and integrity, with no impact on availability. No known exploits are reported in the wild as of the publication date. The issue is resolved in Group-Office versions 6.8.149 and 25.0.80 and later. Organizations using affected versions should apply patches promptly and consider additional mitigations such as input validation and Content Security Policy (CSP) enforcement to mitigate potential exploitation.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions within the Group-Office application. Successful exploitation could allow attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions on behalf of users, potentially leading to data breaches or operational disruptions. Given Group-Office's use in enterprise CRM and groupware contexts, compromised accounts could expose customer data, internal communications, and scheduling information. The requirement for user interaction and the limited scope to file-viewing contexts somewhat reduce the risk, but phishing or social engineering could facilitate exploitation. Organizations with high reliance on Group-Office for collaboration and customer management, especially in sectors like finance, healthcare, and government, face increased exposure. The absence of known exploits in the wild suggests a window for proactive mitigation. Failure to address this vulnerability could result in reputational damage, regulatory penalties under GDPR for data breaches, and operational impacts from compromised user accounts.

1. Upgrade Group-Office installations to version 6.8.149 or 25.0.80 and above immediately to apply the official fix. 2. Implement strict input validation and sanitization on all user-supplied filenames and other inputs to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the Group-Office web application context. 4. Educate users on the risks of interacting with suspicious filenames or links within the application to reduce the likelihood of triggering malicious payloads. 5. Monitor application logs and user activity for unusual behavior indicative of exploitation attempts. 6. Consider isolating or sandboxing file viewing components to limit the impact of potential XSS attacks. 7. Regularly review and update web application firewall (WAF) rules to detect and block XSS payloads targeting Group-Office. 8. Conduct periodic security assessments and penetration testing focusing on input validation and XSS vulnerabilities in the Group-Office environment.