Is Microsoft affected by CVE-2026-33755?

Intermesh Group-Office versions prior to 6.8.158, 25.0.92, and 26.0.17 contain an authenticated SQL injection vulnerability in the JMAP Contact/query endpoint that allows any user with basic addressbook access to extract session tokens and assume control of arbitrary user accounts, including…

CVE-2026-33755

EUVD-2026-16622 HIGH

2026-03-27 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 27, 2026 - 14:30 vuln.today

EUVD ID Assigned

Mar 27, 2026 - 14:30 euvd

EUVD-2026-16622

CVE Published

Mar 27, 2026 - 14:08 nvd

HIGH 8.8

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database - including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

Analysis

Authenticated SQL injection in Intermesh Group-Office JMAP Contact/query endpoint enables any user with basic addressbook access to extract session tokens from the database and perform complete account takeover of arbitrary users including administrators. Versions prior to 6.8.158, 25.0.92, and 26.0.17 are vulnerable. …

Remediation

Within 24 hours: Identify all Intermesh Group-Office deployments and document current versions. Within 7 days: Upgrade to patched versions 6.8.158, 25.0.92, or 26.0.17 or later; if immediate upgrade is not feasible, implement network access restrictions to the JMAP endpoint and restrict addressbook access to trusted users only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-33755 vulnerability details – vuln.today

Back

CVE-2026-33755

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-33755

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code