GROWI Path Traversal (CVE-2026-41951) Allows EJS Template Execution
The National Vulnerability Database has identified a path traversal vulnerability, CVE-2026-41951, in GROWI v7.5.0 and earlier. This flaw, rated with a CVSS score of 7.2 (HIGH), enables an attacker to execute arbitrary EJS templates on the server.
The critical condition for exploitation is the GROWI instance running an email server. An attacker, once authenticated, could leverage this path traversal to craft malicious input that tricks the application into loading and executing EJS templates from unintended locations. This grants them significant control over the server, potentially leading to full compromise.
For defenders, this is a clear-cut case: patch immediately. An attacker’s calculus here is simple – if they can get a foothold, even a low-privilege one, and an email server is active, this vulnerability offers a direct path to server-side code execution. It’s a high-impact flaw that should be prioritized given its potential for remote code execution.
What This Means For You
- If your organization uses GROWI v7.5.0 or earlier, and especially if an email server is configured within GROWI, you are directly exposed to CVE-2026-41951. Prioritize patching to the latest version immediately to mitigate this high-severity path traversal vulnerability.
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 6 SIEM formats6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Credential Abuse from Breached Vendor — CVE-2026-41951
title: Credential Abuse from Breached Vendor — CVE-2026-41951
id: scw-2026-05-11-1
status: experimental
level: high
description: |
Monitor for authentication attempts using credentials from target.local, potentially exposed in the CVE-2026-41951 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41951/
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: authentication
detection:
selection:
User|endswith:
- '@target.local'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-41951
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41951 | Path Traversal | GROWI v7.5.0 and earlier |
| CVE-2026-41951 | RCE | execute arbitrary EJS templates on the server |
| CVE-2026-41951 | Misconfiguration | email server is running in GROWI |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Dell ECS, ObjectScale Hit by Critical Hard-Coded Credential Flaw
CVE-2026-40636 — Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability. An unauthenticated attacker with...
CVE-2026-35157 — The UI. An Unauthenticated Attacker With Remote Access Vulnerability
CVE-2026-35157 — Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV...
Dell Automation Platform: Missing Authorization Vulnerability (CVE-2026-32658)
CVE-2026-32658 — Dell Automation Platform versions prior to 2.0.0.0, contains a missing authorization vulnerability. A low privileged attacker with remote access could potentially exploit this...