PatchSiren cyber security CVE debrief
CVE-2026-26291 GROWI, Inc. CVE debrief
A stored cross-site scripting (XSS) vulnerability affects GROWI v7.4.6 and earlier. If exploited, this flaw allows an attacker to execute arbitrary scripts in a user's web browser. The vulnerability was published on April 15, 2026, and last modified on May 19, 2026. The CVSS 4.0 score of 4.8 reflects a medium severity with network attack vector, low attack complexity, and required user interaction. The weakness is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vendor has been identified as GROWI based on reference domain analysis, though this attribution carries low confidence and requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- GROWI, Inc.
- Product
- GROWI
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-04-15
- Advisory updated
- 2026-05-19
Who should care
Organizations running GROWI wiki instances, particularly those with multi-user environments where untrusted users can create or edit content. Security teams responsible for web application security and content management system hardening.
Technical summary
This stored XSS vulnerability in GROWI wiki platform (v7.4.6 and earlier) enables injection of malicious scripts that persist in the application and execute when other users view affected content. The attack requires network access and user interaction, with low privileges needed for initial injection. The CVSS 4.0 environmental metrics are unspecified, indicating potential for modified severity under different deployment contexts.
Defensive priority
medium
Recommended defensive actions
- Upgrade GROWI to a version newer than v7.4.6 per vendor guidance
- Review and sanitize user-generated content inputs to prevent stored XSS
- Implement Content Security Policy headers to mitigate script injection impact
- Monitor for suspicious script activity in GROWI wiki content
- Verify vendor attribution through independent confirmation given low confidence assessment
Evidence notes
The CVE description confirms stored XSS in GROWI v7.4.6 and earlier. CVSS 4.0 vector indicates network accessibility with user interaction required. References include vendor security notice and JPCERT/CC advisory. Vendor attribution derived from reference domain 'growi.co.jp' with low confidence flag.
Official resources
The vulnerability was disclosed through JPCERT/CC and is tracked under JVN#62079296. The vendor has published a security advisory addressing this issue.