[Japanese]

JVNDB-2026-000012

Multiple vulnerabilities in Cybozu Garoon

Overview

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
  • [CyVDB-3687]Cross-site scripting vulnerability in E-mail (CWE-79) - CVE-2026-20711
  • [CyVDB-3689]Cross-site scripting vulnerability in Message (CWE-79) - CVE-2026-22881
  • [CyVDB-3995]Improper input verification in Portal setting (CWE-231) - CVE-2026-22888
CVE-2026-20711
Masato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2026-22881, CVE-2026-22888
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2026-20711.

CVSS V3 Severity
Base Metrics: 5.7(Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2026-22881.

CVSS V3 Severity
Base Metrics: 4.9(Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2026-22888.
Affected Products


Cybozu, Inc.
  • Cybozu Garoon 5.0.0 to 6.0.3 (CVE-2026-20711, CVE-2026-22888)
  • Cybozu Garoon 5.15.0 to 6.0.3 (CVE-2026-22881)

Impact

  • An attacker could exploit a cross-site scripting vulnerability to reset arbitrary users' passwords. (CVE-2026-20711, CVE-2026-22881)
  • Data related to portal settings may be altered, potentially blocking access to the product. (CVE-2026-22888)
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-20711
  2. CVE-2026-22881
  3. CVE-2026-22888
References

  1. JVN : JVN#35265756
Revision History

  • [2026/02/02]
      Web page was published

Date Public2026/02/02
Date First Published2026/02/02
Date Last Updated2026/02/02