{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25511", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.486Z", "datePublished": "2026-02-04T20:40:04.317Z", "dateUpdated": "2026-02-05T21:02:22.830Z"}, "containers": {"cna": {"title": "Group-Office is vulnerable to SSRF and File Read in WOPI service discovery", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"}, {"name": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.150", "status": "affected"}, {"version": "< 25.0.82", "status": "affected"}, {"version": "< 26.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:40:04.317Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built\u2011in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "source": {"advisory": "GHSA-r9v4-jm2r-r9pm", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T21:02:18.815073Z", "id": "CVE-2026-25511", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:02:22.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25511", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T21:02:18.815073Z"}}}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:02:08.037Z"}}], "cna": {"title": "Group-Office is vulnerable to SSRF and File Read in WOPI service discovery", "source": {"advisory": "GHSA-r9v4-jm2r-r9pm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.150"}, {"status": "affected", "version": "< 25.0.82"}, {"status": "affected", "version": "< 26.0.5"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3", "name": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built\u2011in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:40:04.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25511", "state": "PUBLISHED", "dateUpdated": "2026-02-05T21:02:22.830Z", "dateReserved": "2026-02-02T18:21:42.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T20:40:04.317Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F54FF3F-BE7C-41FF-926A-9496CE99CE97", "versionEndExcluding": "6.8.150", "versionStartIncluding": "6.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "39BE8337-170B-4895-A5AA-B27AFB64E418", "versionEndExcluding": "25.0.82", "versionStartIncluding": "25.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB489F3F-5EA4-4DFD-9F70-9AD862D7401A", "versionEndExcluding": "26.0.5", "versionStartIncluding": "26.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built\u2011in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "id": "CVE-2026-25511", "lastModified": "2026-02-11T19:16:29.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T21:16:02.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:12:54.792035+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011provided patch that updates Group\u2011Office to version 6.8.150 or newer, 25.0.82 or newer, or 26.0.5 or newer, thereby eliminating the SSRF and file read paths.", "If an immediate patch is not possible, restrict the System Administrator group to a minimal trusted set of users, and consider disabling the WOPI service discovery and the built\u2011in debug system to reduce the attack surface.", "Enforce network segmentation and monitoring so that outbound requests from the Group\u2011Office server to internal addresses are logged and routinely reviewed for anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side request forgery enabling internal host enumeration and arbitrary file read"}, "threat_synthesis": {"affected_systems": "The flaw affects Intermesh Group\u2011Office installations with versions prior to 6.8.150, 25.0.82, and 26.0.5. All affected releases are listed on the Group\u2011Office product page and the CVE advisory. Systems running a later version are not impacted.", "description_and_impact": "An authenticated user belonging to the System Administrator group can trigger a full server\u2011side request forgery via the WOPI service discovery URL. The vulnerability also allows direct reading of files on the host. The exploit path relies on the built\u2011in debug system to expose the SSRF response body, effectively turning the request into an exfiltration channel. This weakness falls under CWE\u2011918 and can lead to the disclosure of sensitive internal information and the compromise of file integrity.", "risk_and_exploitability": "The CVSS v3.1 score of 8.2 reflects a high severity, and the EPSS score of less than 1% indicates a low but non\u2011zero likelihood of exploitation at present. The vulnerability is not included in the CISA KEV catalog, suggesting no known active exploitation. Attack execution requires authenticated access with System Administrator privileges; from there, an attacker can instruct the server to make requests to any internal host or port and read any file available to the process. Given the high impact and the need for privileged access, organizations should treat this as a critical patching priority."}}}}, "created": "2026-02-05T11:39:14.105667+00:00", "updated": "2026-04-17T23:15:30.810926+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}