CVE-2026-30238 - CVE Details, Severity, and Analysis | Strobes VI
injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.","datePublished":"2026-03-09T16:21:36.545000","dateModified":"2026-03-09T17:59:10.325000","author":{"@type":"Organization","name":"Strobes Security","url":"https://strobes.co"},"publisher":{"@type":"Organization","name":"Strobes VI","url":"https://vi.strobes.co"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://vi.strobes.co/cve/CVE-2026-30238"},"about":{"@type":"Thing","name":"CVE-2026-30238","description":"Security vulnerability CVE-2026-30238 with CVSS score 0"},"keywords":["CVE-2026-30238","CVE","vulnerability","security","low"]} injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}},{"@type":"Question","name":"What is the severity of CVE-2026-30238?","acceptedAnswer":{"@type":"Answer","text":"CVE-2026-30238 has a CVSS v3 score of 0, which is classified as Low severity."}},{"@type":"Question","name":"Is there an exploit available for CVE-2026-30238?","acceptedAnswer":{"@type":"Answer","text":"No known public exploits are currently available for CVE-2026-30238."}},{"@type":"Question","name":"Is there a patch available for CVE-2026-30238?","acceptedAnswer":{"@type":"Answer","text":"No official patches have been released yet for CVE-2026-30238. Consider implementing workarounds or mitigations."}}]}
CVE-2026-30238
Published: March 9, 2026
Last updated:
Exploit: NoZero-day: NoPatch: No
TL;DR
CVE-2026-30238 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Key Points
1Low severity (CVSS 0.0/10)
2No known public exploits
3
Severity Scores
CVSS v30.0
CVSS v20.0
Priority Score0.0
EPSS Score0.0
None
Cite This Page
APA Format
Strobes VI. (2026). CVE-2026-30238 - CVE Details and Analysis. Strobes VI. Retrieved March 10, 2026, from https://vi.strobes.co/cve/CVE-2026-30238
Quick copy link + title
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
Trend: Neutral
No official patches released yet
Exploitation LikelihoodMinimal
0.00%EPSS
Very low probability of exploitation
Monitor and patch as resources allow
0.00%
EPSS
0.0
CVSS
No
Exploit
No
Patch
Medium Priority
no patch
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.