Which versions of SOGo are affected by EUVD-2026-30804?

SOGo 5.12.7, an open-source groupware platform widely used for email and calendaring, contains a SQL injection vulnerability exploitable by any authenticated user (staff, contractors, authorized…. A patch is available.

How to fix or mitigate EUVD-2026-30804?

Within 24 hours: Identify all SOGo 5.12.7 deployments and active user count; assess data sensitivity in affected instances. Within 7 days: Upgrade all instances to SOGo 5.12.8 per vendor advisory. Within 30 days: Review authentication logs for suspicious /acls API queries or uid parameter injection attempts dating back 90 days; validate no unauthorized database access occurred.

SOGo EUVD-2026-30804

Q: What is the CVSS score of EUVD-2026-30804?

EUVD-2026-30804 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-8851 HIGH

SQL Injection (CWE-89)

2026-05-18 VulnCheck

GHSA-7vv4-j48f-wcx7

SQLi

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 21:32 vuln.today

Analysis Generated

May 18, 2026 - 21:32 vuln.today

CVSS changed

May 18, 2026 - 21:22 NVD

8.1 (HIGH) 8.6 (HIGH)

DescriptionNVD

SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

AnalysisAI

SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

RemediationAI

Within 24 hours: Identify all SOGo 5.12.7 deployments and active user count; assess data sensitivity in affected instances. Within 7 days: Upgrade all instances to SOGo 5.12.8 per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30804 vulnerability details – vuln.today

Back

SOGo EUVD-2026-30804

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

SOGo EUVD-2026-30804

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code