CVE-2026-46446

HIGH NVD

CVSS Score 7.1

Severity HIGH

Published May 14, 2026

Vendor unknown

Description

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

References

https://github.com/Alinto/sogo/pull/379/changes/1f7e5d2b2c2047c44a6a9e05f73c36491cb96d21
https://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg2100131.html
https://www.sogo.nu/news/2026/sogo-v5127-released.html