diff --git a/xmppserver/src/main/webapp/user-groups.jsp b/xmppserver/src/main/webapp/user-groups.jsp
index 1d848172d1..21c56a3bd4 100644
--- a/xmppserver/src/main/webapp/user-groups.jsp
+++ b/xmppserver/src/main/webapp/user-groups.jsp
@@ -1,7 +1,7 @@
 <%@ page contentType="text/html; charset=UTF-8" %>
 <%--
   -
-  - Copyright (C) 2005-2008 Jive Software, 2017-2025 Ignite Realtime Foundation. All rights reserved.
+  - Copyright (C) 2005-2008 Jive Software, 2017-2026 Ignite Realtime Foundation. All rights reserved.
   -
   - Licensed under the Apache License, Version 2.0 (the "License");
   - you may not use this file except in compliance with the License.
@@ -40,24 +40,26 @@
 
 <%
     // Get parameters
-    String add = StringUtils.escapeHTMLTags(ParamUtils.getParameter(request, "add"));
-    String delete = StringUtils.escapeHTMLTags(ParamUtils.getParameter(request, "delete"));
-    boolean success = ParamUtils.getBooleanParameter(request,"updatesuccess");
-    String username = StringUtils.escapeHTMLTags(ParamUtils.getParameter(request, "username"));
+    String add = ParamUtils.getParameter(request, "add");
+    String delete = ParamUtils.getParameter(request, "delete");
+    String username = ParamUtils.getParameter(request, "username");
     JID jid = webManager.getXMPPServer().createJID(username, null);
 
-        Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
-        String csrfParam = ParamUtils.getParameter(request, "csrf");
+    Cookie csrfCookie = CookieUtils.getCookie(request, "csrf");
+    String csrfParam = ParamUtils.getParameter(request, "csrf");
 
-        if (add != null || delete != null) {
-            if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
-                add = null;
-                delete = null;
-            }
+    Map<String,String> errors = new HashMap<>();
+    pageContext.setAttribute("errors", errors);
+    if (add != null || delete != null) {
+        if (csrfCookie == null || csrfParam == null || !csrfCookie.getValue().equals(csrfParam)) {
+            add = null;
+            delete = null;
+            errors.put("csrf", "CSRF security check failed! Please reload page and try again.");
         }
-        csrfParam = StringUtils.randomString(15);
-        CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
-        pageContext.setAttribute("csrf", csrfParam);
+    }
+    csrfParam = StringUtils.randomString(15);
+    CookieUtils.setCookie(request, response, "csrf", csrfParam, -1);
+    pageContext.setAttribute("csrf", csrfParam);
 
 
     if(add != null) {
@@ -92,7 +94,10 @@
     Collection<Group> userGroups = webManager.getGroupManager().getGroups(user);
     int start = ParamUtils.getIntParameter(request,"start",0);
     int range = ParamUtils.getIntParameter(request,"range",15);
-    
+    if (range <= 0) {
+        range = 15;
+    }
+
     if (request.getParameter("range") != null) {
         webManager.setRowsPerPage("group-summary", range);
     }
@@ -101,55 +106,75 @@
     // Remove already joined groups 
     groups.removeAll(userGroups);
     
-    int groupCount = groups.size();
-    int groupIndex = start + range;
 
     String search = null;
     if (webManager.getGroupManager().isSearchSupported() && request.getParameter("search") != null
             && !request.getParameter("search").trim().isEmpty()) {
         search = request.getParameter("search");
-        search = StringUtils.escapeHTMLTags(search);
         // Use the search terms to get the list of groups.
         groups = new ArrayList<>(webManager.getGroupManager().search(search));
-        // Count already joined groups in the search result 
-        int userGroupCount = 0;
-        for(Group group : groups) {
-    if(userGroups.contains(group)) {
-        userGroupCount++;
-    }
-        }
         groups.removeAll(userGroups);
-        groupCount = groups.size() - userGroupCount;
     }
-    
-    if(groupIndex >= groupCount) {
-        groupIndex = groupCount;
+
+    int groupCount = groups.size();
+
+    if (start < 0) {
+        start = 0;
     }
+    if (start >= groupCount) {
+        start = Math.max(0, ((groupCount - 1) / range) * range);
+    }
+    int end = Math.min(start + range, groupCount);
+    List<Group> pagedGroups = groups.subList(start, end);
 
     // paginator vars
-    int numPages = (int)Math.ceil((double)groupCount/(double)range);
-    int curPage = (start/range) + 1;
-    
-    if(success) {
-%>
-<admin:infoBox type="success">
-    <fmt:message key="user.groups.form.update" />
-</admin:infoBox>
-<%
-    }
+    int numPages = groupCount == 0 ? 1 : (int)Math.ceil((double)groupCount / range);
+    int curPage = groupCount == 0 ? 1 : (start / range) + 1;
+
+    pageContext.setAttribute("username", username);
+    pageContext.setAttribute("userGroups", userGroups);
+    pageContext.setAttribute("groupCount", groupCount);
+    pageContext.setAttribute("pagedGroups", pagedGroups);
+    pageContext.setAttribute("numPages", numPages);
+    pageContext.setAttribute("start", start);
+    pageContext.setAttribute("curPage", curPage);
+    pageContext.setAttribute("range", range);
+    pageContext.setAttribute("search", search);
 %>
-
 <html>
 <head>
-<title><fmt:message key="user.groups.title" /></title>
-<meta name="subPageID" content="user-groups" />
-<meta name="extraParams"
-    content="<%="username="+URLEncoder.encode(username, StandardCharsets.UTF_8)%>" />
+    <title><fmt:message key="user.groups.title" /></title>
+    <meta name="subPageID" content="user-groups" />
+    <meta name="extraParams" content="username=${admin:urlEncode(username)}" />
 </head>
 <body>
+
+    <c:choose>
+        <c:when test="${not empty errors}">
+            <c:forEach var="err" items="${errors}">
+                <admin:infobox type="error">
+                    <c:choose>
+                        <c:when test="${err.key eq 'csrf'}"><fmt:message key="global.csrf.failed" /></c:when>
+                        <c:otherwise>
+                            <c:if test="${not empty err.value}">
+                                <fmt:message key="admin.error"/>: <c:out value="${err.value}"/>
+                            </c:if>
+                            (<c:out value="${err.key}"/>)
+                        </c:otherwise>
+                    </c:choose>
+                </admin:infobox>
+            </c:forEach>
+        </c:when>
+        <c:when test="${param.updatesuccess}">
+            <admin:infobox type="success">
+                <fmt:message key="user.groups.form.update" />
+            </admin:infobox>
+        </c:when>
+    </c:choose>
+
     <p>
         <fmt:message key="user.groups.member.info" />
-        <b><%=username%>.</b>
+        <b><c:out value="${username}"/>.</b>
     </p>
     <div class="jive-table">
         <table>
@@ -161,41 +186,30 @@
                 </tr>
             </thead>
             <tbody>
-                <%
-                    // Print the list of groups
-                                                            if (userGroups.isEmpty()) {
-                %>
-                <tr>
-                    <td style="text-align: center" colspan="6"><fmt:message
-                            key="group.summary.no_groups" /></td>
-                </tr>
-
-                <%
-                    }
-                                                            int x = 0;
-                                                            for (Group group : userGroups) {
-                                                                String groupName = URLEncoder.encode(group.getName(), StandardCharsets.UTF_8);
-                                                                x++;
-                %>
-                <tr>
-                    <td  style="width: 1%; vertical-align: top"><%=x%></td>
-                    <td><a href="group-edit.jsp?group=<%=groupName%>"><%=StringUtils.escapeHTMLTags(group.getName())%></a>
-                        <%
-                            if (group.getDescription() != null) {
-                        %> <br> <span class="jive-description"> <%=StringUtils.escapeHTMLTags(group.getDescription())%>
-                    </span> <%
-    }
- %></td>
-
-                    <td style="width: 5%"><a
-                        href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), StandardCharsets.UTF_8)%>&delete=<%=groupName%>&csrf=${csrf}"
-                        title="<fmt:message key="global.click_delete" />"><img
-                            src="images/delete-16x16.gif"
-                            alt="<fmt:message key="global.click_delete" />"></a></td>
-                </tr>
-                <%
-                    }
-                %>
+                <c:choose>
+                    <c:when test="${empty userGroups}">
+                        <tr>
+                            <td style="text-align: center" colspan="3"><fmt:message key="group.summary.no_groups" /></td>
+                        </tr>
+                    </c:when>
+                    <c:otherwise>
+                        <c:forEach var="group" items="${userGroups}" varStatus="status">
+                            <tr>
+                                <td style="width: 1%; vertical-align: top"><c:out value="${status.count}"/></td>
+                                <td><a href="group-edit.jsp?group=${admin:urlEncode(group.name)}"><c:out value="${group.name}"/></a>
+                                    <c:if test="${not empty group.description}">
+                                        <br> <span class="jive-description"> <c:out value="${group.description}"/></span>
+                                    </c:if>
+                                </td>
+                                <td style="width: 5%"><a
+                                    href="user-groups.jsp?username=${admin:urlEncode(username)}&delete=${admin:urlEncode(group.name)}&csrf=${admin:urlEncode(csrf)}"
+                                    title="<fmt:message key="global.click_delete" />"><img
+                                    src="images/delete-16x16.gif"
+                                    alt="<fmt:message key="global.click_delete" />"></a></td>
+                            </tr>
+                        </c:forEach>
+                    </c:otherwise>
+                </c:choose>
             </tbody>
         </table>
     </div>
@@ -203,76 +217,50 @@
 
     <p>
         <fmt:message key="user.groups.info" />
-        <b><%=username%>.</b>
-    </p>
-    <%
-        if (webManager.getGroupManager().isSearchSupported()) {
-    %>
-
-    <form action="user-groups.jsp" method="get" name="searchForm">
-        <table style="width: 100%">
-            <tr>
-                <td style="vertical-align: bottom"><fmt:message key="group.summary.total_group" /> <b><%=groupCount%></b></td>
-                <td style="text-align: right; vertical-align: bottom"><label for="search"><fmt:message key="group.summary.search" />:</label> <input type="text" size="30" maxlength="150" id="search" name="search" value="<c:out value='${param.search}'/>"></td>
-            </tr>
-        </table>
-        <input type="hidden" name="username"
-            value="<%=StringUtils.escapeForXML(user.getUsername())%>">
-    </form>
-
-    <script>
-        document.searchForm.search.focus();
-    </script>
-
-    <%
-        }
-        // Otherwise, searching is not supported.
-        else {
-    %>
-    <p>
-        <fmt:message key="group.summary.total_group" />
-        <b><%=groupCount%></b>
-        <%
-            if (numPages > 1) {
-        %>
-
-        ,
-        <fmt:message key="global.showing" />
-        <%=(start + 1)%>-<%=(start + range)%>
-
-        <%
-            }
-        %>
+        <b><c:out value="${username}"/>.</b>
     </p>
-    <%
-        }
-    %>
-
-    <%
-        if (numPages > 1) {
-    %>
-
-    <p>
-        <fmt:message key="global.pages" />
-        [
-        <%
-            for (int i = 0; i < numPages; i++) {
-                    String sep = ((i + 1) < numPages) ? " " : "";
-                    boolean isCurrent = (i + 1) == curPage;
-        %>
-        <a
-            href="user-groups.jsp?username=<%=StringUtils.escapeForXML(user.getUsername())%>&start=<%=(i * range)%><%=search != null ? "&search=" + URLEncoder.encode(search, StandardCharsets.UTF_8) : ""%>"
-            class="<%=((isCurrent) ? "jive-current" : "")%>"><%=(i + 1)%></a><%=sep%>
-
-        <%
-            }
-        %>
-        ]
-    </p>
-
-    <%
-        }
-    %>
+    <c:choose>
+        <c:when test="${webManager.groupManager.searchSupported}">
+            <form action="user-groups.jsp" method="get" name="searchForm">
+                <table style="width: 100%">
+                    <tr>
+                        <td style="vertical-align: bottom"><fmt:message key="group.summary.total_group" /> <b><fmt:formatNumber value="${groupCount}"/></b></td>
+                        <td style="text-align: right; vertical-align: bottom"><label for="search"><fmt:message key="group.summary.search" />:</label> <input type="text" size="30" maxlength="150" id="search" name="search" value="<c:out value='${param.search}'/>"></td>
+                    </tr>
+                </table>
+                <input type="hidden" name="username" value="${admin:escapeHTMLTags(username)}"/>
+                <input type="hidden" name="csrf" value="${admin:escapeHTMLTags(csrf)}"/>
+            </form>
+
+            <script>
+                document.searchForm.search.focus();
+            </script>
+        </c:when>
+        <c:otherwise>
+            <p>
+                <fmt:message key="group.summary.total_group" />
+                <b><fmt:formatNumber value="${groupCount}"/></b>
+                <c:if test="${numPages gt 1}">
+                    ,
+                    <fmt:message key="global.showing" />
+                    <fmt:formatNumber value="${start + 1}"/>-<fmt:formatNumber value="${start + pagedGroups.size()}"/>
+                </c:if>
+            </p>
+        </c:otherwise>
+    </c:choose>
+
+    <c:if test="${numPages gt 1}">
+        <p>
+            <fmt:message key="global.pages" />
+            [
+            <c:forEach var="i" begin="0" end="${numPages - 1}">
+                <c:set var="sep" value="${i + 1 lt numPages ? ' ' : ''}"/>
+                <c:set var="current" value="${i+1 eq curPage}"/>
+                <a href="user-groups.jsp?username=${admin:urlEncode(username)}&start=${admin:urlEncode(i*range)}&range=${admin:urlEncode(range)}&search=${admin:urlEncode(empty search ? '' : search)}" class="${current ? 'jive-current' : ''}"><c:out value="${i + 1}"/></a><c:out value="${sep}"/>
+            </c:forEach>
+            ]
+        </p>
+    </c:if>
 
     <div class="jive-table">
         <table>
@@ -284,71 +272,47 @@
                 </tr>
             </thead>
             <tbody>
-
-                <%
-                    // Print the list of groups
-                    if (groups.isEmpty()) {
-                %>
-                <tr>
-                    <td style="text-align: center" colspan="6"><fmt:message
-                            key="group.summary.no_groups" /></td>
-                </tr>
-
-                <%
-                    }
-                    int i = 0;
-                    for (Group group : groups.subList(start, groupIndex)) {
-                        String groupName = URLEncoder.encode(group.getName(), StandardCharsets.UTF_8);
-                        i++;
-                %>
-                <tr>
-                    <td  style="width: 1%; vertical-align: top"><%=i%></td>
-                    <td><a href="group-edit.jsp?group=<%=groupName%>"><%=StringUtils.escapeHTMLTags(group.getName())%></a>
-                        <%
-                            if (group.getDescription() != null) {
-                        %> <br> <span class="jive-description"> <%=StringUtils.escapeHTMLTags(group.getDescription())%>
-                    </span> <%
-    }
- %></td>
-
-                    <td style="width: 5%"><a
-                        href="user-groups.jsp?username=<%=URLEncoder.encode(user.getUsername(), StandardCharsets.UTF_8)%>&add=<%=groupName%>&csrf=${csrf}"
-                        title="<fmt:message key="global.click_add" />"> <img
-                            src="images/add-16x16.gif"
-                            alt="<fmt:message key="global.click_add" />"></a></td>
-                </tr>
-                <%
-                    }
-                %>
+                <c:choose>
+                    <c:when test="${empty pagedGroups}">
+                        <tr>
+                            <td style="text-align: center" colspan="3"><fmt:message key="group.summary.no_groups" /></td>
+                        </tr>
+                    </c:when>
+                    <c:otherwise>
+                        <c:forEach var="group" items="${pagedGroups}" varStatus="status">
+                            <tr>
+                                <td style="width: 1%; vertical-align: top"><fmt:formatNumber value="${status.count + start}"/></td>
+                                <td><a href="group-edit.jsp?group=${admin:urlEncode(group.name)}"><c:out value="${group.name}"/></a>
+                                    <c:if test="${not empty group.description}">
+                                        <br> <span class="jive-description"> <c:out value="${group.description}"/> </span>
+                                    </c:if>
+                                </td>
+                                <td style="width: 5%"><a
+                                    href="user-groups.jsp?username=${admin:urlEncode(username)}&add=${admin:urlEncode(group.name)}&csrf=${admin:urlEncode(csrf)}"
+                                    title="<fmt:message key="global.click_add" />"> <img
+                                    src="images/add-16x16.gif"
+                                    alt="<fmt:message key="global.click_add" />"></a></td>
+                            </tr>
+                        </c:forEach>
+                    </c:otherwise>
+                </c:choose>
             </tbody>
         </table>
     </div>
 
-    <%
-        if (numPages > 1) {
-    %>
-    <br>
-    <p>
-        <fmt:message key="global.pages" />
-        [
-        <%
-            for (i = 0; i < numPages; i++) {
-                    String sep = ((i + 1) < numPages) ? " " : "";
-                    boolean isCurrent = (i + 1) == curPage;
-        %>
-        <a
-            href="user-groups.jsp?username=<%=StringUtils.escapeForXML(user.getUsername())%>&start=<%=(i * range)%><%=search != null ? "&search=" + URLEncoder.encode(search, StandardCharsets.UTF_8) : ""%>"
-            class="<%=((isCurrent) ? "jive-current" : "")%>"><%=(i + 1)%></a><%=sep%>
-
-        <%
-            }
-        %>
-        ]
-    </p>
-
-    <%
-        }
-    %>
+    <c:if test="${numPages gt 1}">
+        <br>
+        <p>
+            <fmt:message key="global.pages" />
+            [
+            <c:forEach var="i" begin="0" end="${numPages - 1}">
+                <c:set var="sep" value="${i + 1 lt numPages ? ' ' : ''}"/>
+                <c:set var="current" value="${i+1 eq curPage}"/>
+                <a href="user-groups.jsp?username=${admin:urlEncode(username)}&start=${admin:urlEncode(i*range)}&range=${admin:urlEncode(range)}&search=${admin:urlEncode(empty search ? '' : search)}" class="${current ? 'jive-current' : ''}"><c:out value="${i + 1}"/></a><c:out value="${sep}"/>
+            </c:forEach>
+            ]
+        </p>
+    </c:if>
 
 </body>
 </html>