CVE-2026-25134 - Group-Office Argument Injection in MaintenanceController::actionZipLanguage

CVE ID : CVE-2026-25134 Published : Feb. 2, 2026, 11:16 p.m. | 1 hour, 14 minutes ago Description : Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5. Severity: 9.4 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...