CVE-2026-25134

Vulnerability Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5.

Vulnerability Details

Published Date

February 02, 2026

Last Modified

February 04, 2026

CWE ID

CWE-88

Source

NVD

Vendor

Intermesh

Product

groupoffice

External References

https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849

CVE-2026-25134

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment