CVE-2026-25134 PUBLISHED

Group-Office Argument Injection in MaintenanceController::actionZipLanguage

Assigner: GitHub_M
Reserved: 29.01.2026 Published: 02.02.2026 Updated: 02.02.2026

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Intermesh
Product	groupoffice
Versions	Version < 6.8.150 is affected Version >= 25.0.0, < 25.0.82 is affected Version >= 26.0.0, < 26.0.5 is affected

References

Problem Types

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE