{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25134", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.540Z", "datePublished": "2026-02-02T22:40:15.094Z", "dateUpdated": "2026-02-04T16:53:26.657Z"}, "containers": {"cna": {"title": "Group-Office Argument Injection in MaintenanceController::actionZipLanguage", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849"}, {"name": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.150", "status": "affected"}, {"version": ">= 25.0.0, < 25.0.82", "status": "affected"}, {"version": ">= 26.0.0, < 26.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:40:15.094Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5."}], "source": {"advisory": "GHSA-v39j-549w-8849", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:54:26.783842Z", "id": "CVE-2026-25134", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:53:26.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25134", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T15:54:26.783842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:54:27.632Z"}}], "cna": {"title": "Group-Office Argument Injection in MaintenanceController::actionZipLanguage", "source": {"advisory": "GHSA-v39j-549w-8849", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.150"}, {"status": "affected", "version": ">= 25.0.0, < 25.0.82"}, {"status": "affected", "version": ">= 26.0.0, < 26.0.5"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b", "name": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:40:15.094Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25134", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:53:26.657Z", "dateReserved": "2026-01-29T14:03:42.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T22:40:15.094Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "97DDA2DE-263C-4AB0-BA43-6AD9D0CAF599", "versionEndExcluding": "6.8.150", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "39BE8337-170B-4895-A5AA-B27AFB64E418", "versionEndExcluding": "25.0.82", "versionStartIncluding": "25.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB489F3F-5EA4-4DFD-9F70-9AD862D7401A", "versionEndExcluding": "26.0.5", "versionStartIncluding": "26.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5."}, {"lang": "es", "value": "Group-Office es una herramienta empresarial de gesti\u00f3n de relaciones con clientes y groupware. Antes de las versiones 6.8.150, 25.0.82 y 26.0.5, el MaintenanceController expone una acci\u00f3n zipLanguage que toma un par\u00e1metro lang y lo pasa directamente a un comando zip del sistema a trav\u00e9s de exec(). Esto puede combinarse con la carga de un archivo zip manipulado para lograr la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad est\u00e1 corregida en las versiones 6.8.150, 25.0.82 y 26.0.5."}], "id": "CVE-2026-25134", "lastModified": "2026-02-18T17:35:28.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:09.120", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:30:02.152872+00:00", "value": {"mitigation_remediation": ["Upgrade Group-Office to version 6.8.150 or newer.", "Upgrade Group-Office to version 25.0.82 or newer.", "Upgrade Group-Office to version 26.0.5 or newer."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The security issue afflicts Intermesh Group-Office versions released before 6.8.150, 25.0.82, and 26.0.5. All installations of the 6.x, 25.x, and 26.x branches that are older than these specific releases remain vulnerable. Updates beyond these versions contain the fix that validates the parameter prior to invoking the zip command.", "description_and_impact": "The vulnerability resides in the MaintenanceController::actionZipLanguage method of Group-Office; it forwards a user-supplied \"lang\" parameter directly to the operating system's zip command via exec() without validation. This flaw permits an attacker to craft a malicious zip file and supply a tampered \"lang\" value, thereby injecting arbitrary command-line arguments and achieving remote execution of code on the host. The flaw is classified with a high severity CVSS score of 9.4, indicating a critical risk to confidentiality, integrity, and availability.", "risk_and_exploitability": "Exploitation requires access to the web application to invoke the MaintenanceController action and upload a specially crafted zip archive. The EPSS of less than 1% suggests a low observed exploitation rate, yet the CVSS score signals that if an attacker succeeds they can execute arbitrary code with the privileges of the web server. The vulnerability is not currently listed in CISA\u2019s Known Exploited Vulnerabilities catalog, but the mechanism and severity warrant immediate attention."}}}}, "created": "2026-02-04T12:18:01.408385+00:00", "updated": "2026-04-18T00:30:25.719934+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}