EUVD-2026-16622
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database - including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
Analysis
Authenticated SQL injection in Intermesh Group-Office JMAP Contact/query endpoint enables any user with basic addressbook access to extract session tokens from the database and perform complete account takeover of arbitrary users including administrators. Versions prior to 6.8.158, 25.0.92, and 26.0.17 are vulnerable. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Intermesh Group-Office deployments and document current versions. Within 7 days: Upgrade to patched versions 6.8.158, 25.0.92, or 26.0.17 or later; if immediate upgrade is not feasible, implement network access restrictions to the JMAP endpoint and restrict addressbook access to trusted users only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today