Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

SOGo Webmail

Source -

CNA

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
1Vulnerabilities found
CVE-2026-8851
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-Not Assigned
Published-18 May, 2026 | 20:10
Updated-18 May, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOGo 5.12.7 SQL Injection via addUserInAcls endpoint

SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

Action-Not Available
Vendor-Alinto
Product-SOGo Webmail
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')