{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26291", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-10T06:02:38.943Z", "datePublished": "2026-04-15T04:19:31.678Z", "dateUpdated": "2026-04-15T16:13:20.770Z"}, "containers": {"cna": {"affected": [{"vendor": "GROWI, Inc.", "product": "GROWI", "versions": [{"version": "v7.4.6 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en-US", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://growi.co.jp/news/43/"}, {"url": "https://jvn.jp/en/jp/JVN62079296/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-15T04:19:31.678Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:32:50.301600Z", "id": "CVE-2026-26291", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:20.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26291", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:32:50.301600Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:32:53.385Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "GROWI, Inc.", "product": "GROWI", "versions": [{"status": "affected", "version": "v7.4.6 and earlier"}]}], "references": [{"url": "https://growi.co.jp/news/43/"}, {"url": "https://jvn.jp/en/jp/JVN62079296/"}], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "Cross-site scripting (XSS)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-15T04:19:31.678Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26291", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:20.770Z", "dateReserved": "2026-04-10T06:02:38.943Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-15T04:19:31.678Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser."}], "id": "CVE-2026-26291", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-15T05:16:25.597", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://growi.co.jp/news/43/"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN62079296/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GROWI", "source": "cna", "vendor": "GROWI, Inc."}, "product": "growi", "vendor": "growi"}], "analysis": {"en": {"generated_at": "2026-04-15T06:50:43.631144+00:00", "value": {"mitigation_remediation": ["Upgrade GROWI to a version newer than 7.4.6 when a vendor patch is released.", "If a patch is unavailable, configure input sanitization to escape or strip disallowed script content when storing and displaying user data.", "Implement a Content Security Policy that limits script execution to trusted sources and disallows inline scripts.", "Restrict or disable the ability for ordinary users to create or edit content that is rendered without proper escaping."], "summary": {"action": "Apply Patch", "impact": "Client\u2011Side Script Execution"}, "threat_synthesis": {"affected_systems": "The affected product is GROWI by GROWI Inc. The vulnerability exists in all releases up to and including v7.4.6. No information is provided about a patch release, so administrators should verify whether a newer version is available.", "description_and_impact": "GROWI versions 7.4.6 and earlier suffer a stored cross\u2011site scripting flaw that allows an attacker to inject arbitrary JavaScript into the system\u2019s database. When a victim later views a page that renders the malicious content, the script runs in the victim\u2019s browser with the user\u2019s privileges, potentially enabling cookie theft, session hijacking or defacement of the displayed page. This is a classic stored XSS described as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet become a widely exploited threat. It is inferred that the attack vector requires an attacker to create or modify content that will be displayed to other users; when that content is rendered, the malicious script executes in the victim\u2019s browser. The potential impact includes data theft, session hijack, and site defacement, and could affect any user who views the injected content."}}}}, "created": "2026-04-15T13:44:47.520074+00:00", "updated": "2026-04-15T13:49:14.868694+00:00", "vendors": ["growi", "growi$PRODUCT$growi"]}