Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Network-accessible endpoint requires only a standard authenticated user (PR:L); SQL injection yields partial C/I/A impact within unchanged database scope.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the search parameter of the allContactSearch endpoint.
AnalysisAI
SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated SOGo user session (CVSS PR:L confirms this). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L scores 6.3 (Medium), reflecting a network-reachable, low-complexity flaw requiring only authenticated user access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated SOGo user - for example, a low-privilege shared-tenant account - submits a contact search request to the allContactSearch endpoint with a crafted search value such as a closing quote followed by a UNION SELECT or stacked query. The backend SQL statement incorporates the payload verbatim, allowing the attacker to exfiltrate rows from the contacts database or modify records within the database context SOGo operates under. … |
| Remediation | Upgrade SOGo to version 5.12.7 or later, as documented in the vendor release announcement at https://www.sogo.nu/news/2026/sogo-v5127-released.html and patched in commit 1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21 on the Alinto/sogo GitHub repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42499
GHSA-5fp2-8g3x-xw93