Skip to main content

SOGo CVE-2026-46445

| EUVDEUVD-2026-30212 HIGH
SQL Injection (CWE-89)
2026-05-14 mitre GHSA-vhv6-3crj-r8jm
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 08:48 vuln.today
Analysis Generated
Jun 08, 2026 - 08:48 vuln.today
Patch available
May 14, 2026 - 04:16 EUVD

DescriptionCVE.org

SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

AnalysisAI

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.

Technical ContextAI

SOGo is an open-source groupware server (calendar, address book, webmail) developed by Alinto, and the affected component is the Objective-C SQLSource module that builds SQL against the configured authentication source. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): pre-patch code in SoObjects/SOGo/SQLSource.m manually escaped single quotes via stringByReplacingString and concatenated user-controlled login, password, and contact-filter values directly into UPDATE and SELECT statements. The PostgreSQL backend uses different quoting/escaping semantics than MySQL or SQLite (e.g., backslash and dollar-quoting behaviors), so the ad-hoc single-quote doubling does not fully neutralize injection payloads. The fix in PR 379 replaces manual string concatenation with EOQualifier / EOKeyValueQualifier objects rendered through the active EOAdaptor, delegating proper parameter quoting to the database adapter layer.

RemediationAI

Apply the vendor-released patch by upgrading to SOGo 5.12.7 or later, as announced at https://www.sogo.nu/news/2026/sogo-v5127-released.html; the corresponding upstream code change is in Alinto/sogo PR #379 (https://github.com/Alinto/sogo/pull/379) which rewrites SQLSource.m to use EOQualifier/EOAdaptor parameterization. If immediate patching is not possible, compensating controls include switching the authentication source away from the SQL/PostgreSQL backend to LDAP (eliminates the vulnerable code path but requires a directory server and re-provisioning of accounts), restricting network access to the SOGo web interface to trusted management VLANs or via reverse-proxy ACLs (reduces exposure but breaks remote user access), and enforcing strong, unique credentials plus aggressive account lockout on the SOGo login endpoint to raise the cost of obtaining the low-privilege foothold the attack requires. Distribution users should also track the Debian advisory at https://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg2100131.html for backported packages.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-46445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy