無料スキャン

このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

HIGHCVE-2026-46446CVSS 7.1

CVE-2026-46446: SQL Injection in SOGo

プラットフォーム

mariadb

コンポーネント

sogo

修正版

5.12.7

NVDで見る
保存
あなたの言語に翻訳中…

CVE-2026-46446 describes a SQL Injection vulnerability discovered in SOGo, a groupware server. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability impacts SOGo versions from 0.0.0 up to and including 5.12.7, specifically when PostgreSQL or MariaDB are used as the database backend and cleartext passwords are stored. A fix is available in version 5.12.7.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2026-46446 could allow an attacker to gain unauthorized access to sensitive data stored within the SOGo database. This includes user credentials (usernames and passwords stored in cleartext), email content, calendar entries, and contact information. Depending on the database privileges of the SOGo user, an attacker might be able to escalate their access to the underlying operating system, potentially leading to complete system compromise. The cleartext password storage significantly amplifies the impact, as stolen credentials can be used for lateral movement within the network. The potential for data exfiltration and disruption of groupware services makes this a serious concern.

悪用の状況翻訳中…

CVE-2026-46446 was published on May 14, 2026. Its severity is rated HIGH with a CVSS score of 7.1. There is currently no indication that this vulnerability is being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L7.1HIGHAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityHigh悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityLowサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
高 — 競合条件、非標準設定、または特定の状況が必要。悪用が難しい。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントsogo
ベンダーAlinto
最小バージョン0.0.0
最大バージョン5.12.7
修正版5.12.7

弱点分類 (CWE)

CWE-89

タイムライン

  1. 予約済み
  2. 公開日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-46446 is to upgrade SOGo to version 5.12.7 or later. Prior to upgrading, it's crucial to back up your SOGo configuration and database to ensure data integrity in case of unforeseen issues. If an immediate upgrade is not feasible, consider implementing stricter database access controls and limiting the privileges of the SOGo database user. While not a complete solution, using a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Monitor SOGo logs for suspicious database queries that might indicate exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the changePasswordForLogin endpoint and confirming that it is properly sanitized.

修正方法翻訳中…

Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la forma en que se manejan las contraseñas en la función changePasswordForLogin, evitando la posibilidad de inyección SQL cuando se utilizan PostgreSQL o MariaDB con contraseñas almacenadas en texto plano.

よくある質問翻訳中…

What is CVE-2026-46446 — SQL Injection in SOGo?

CVE-2026-46446 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7. It allows attackers to potentially manipulate database queries when PostgreSQL or MariaDB are used with cleartext passwords.

Am I affected by CVE-2026-46446 in SOGo?

You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using PostgreSQL or MariaDB with cleartext passwords. Upgrade to version 5.12.7 to resolve the issue.

How do I fix CVE-2026-46446 in SOGo?

The recommended fix is to upgrade SOGo to version 5.12.7 or later. Back up your configuration and database before upgrading.

Is CVE-2026-46446 being actively exploited?

Currently, there is no public evidence of CVE-2026-46446 being actively exploited in the wild, but the vulnerability's nature suggests potential for future exploitation.

Where can I find the official SOGo advisory for CVE-2026-46446?

Refer to the official SOGo security advisory for CVE-2026-46446 on the SOGo website: [https://www.sogo.nu/security/advisories](https://www.sogo.nu/security/advisories) (replace with actual advisory URL when available).

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...