CVE-2026-27947

Group-Office Vulnerable to Remote Code Execution (RCE)

Assigner: GitHub_M
Reserved: 25.02.2026 Published: 27.02.2026 Updated: 27.02.2026

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from winmail.dat and then invokes zip with a shell wildcard (*). Because extracted filenames are attacker-controlled, they can be interpreted as zip options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Intermesh
Product	groupoffice
Versions	Version >= 26.0.0, < 26.0.9 is affected Version >= 25.0.0, < 25.0.87 is affected Version < 6.8.154 is affected

Vendor

Intermesh

Product

groupoffice

Versions

Version >= 26.0.0, < 26.0.9 is affected
Version >= 25.0.0, < 25.0.87 is affected
Version < 6.8.154 is affected

References

Problem Types

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE
CWE-434: Unrestricted Upload of File with Dangerous Type CWE

CVE-2026-27947 PUBLISHED

Group-Office Vulnerable to Remote Code Execution (RCE)

Metrics

Product Status

References

Problem Types