Skip to main content

SOGo CVE-2026-39178

| EUVDEUVD-2026-42499 MEDIUM
SQL Injection (CWE-89)
2026-07-08 cve@mitre.org GHSA-5fp2-8g3x-xw93
6.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
6.3 MEDIUM

Network-accessible endpoint requires only a standard authenticated user (PR:L); SQL injection yields partial C/I/A impact within unchanged database scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 17:14 vuln.today
CVSS changed
Jul 09, 2026 - 16:22 NVD
6.3 (MEDIUM)
CVE Published
Jul 08, 2026 - 22:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the search parameter of the allContactSearch endpoint.

AnalysisAI

SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid SOGo user credentials
Delivery
Authenticate to SOGo web or API interface
Exploit
Send crafted HTTP request to allContactSearch endpoint with SQL payload in search parameter
Execution
Backend SQL query executes attacker-controlled statement
Impact
Exfiltrate or manipulate contact database records

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated SOGo user session (CVSS PR:L confirms this). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L scores 6.3 (Medium), reflecting a network-reachable, low-complexity flaw requiring only authenticated user access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated SOGo user - for example, a low-privilege shared-tenant account - submits a contact search request to the allContactSearch endpoint with a crafted search value such as a closing quote followed by a UNION SELECT or stacked query. The backend SQL statement incorporates the payload verbatim, allowing the attacker to exfiltrate rows from the contacts database or modify records within the database context SOGo operates under. …
Remediation Upgrade SOGo to version 5.12.7 or later, as documented in the vendor release announcement at https://www.sogo.nu/news/2026/sogo-v5127-released.html and patched in commit 1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 on the Alinto/sogo GitHub repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy