MEDIUM
Intermesh
CVE published 2026-05-29
CVE-2026-45551
GroupOffice versions prior to 26.0.25, 25.0.100, and 6.8.165 contain a stored cross-site scripting (XSS) vulnerability arising from the combination of two weaknesses. First, the application allows authenticated users to persist arbitrary legacy settings for any user_id via the index.php?r=core/saveSetting endpoint without proper authorization checks. Second, the email module's client-side code injects the [truncated]