Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-46445: SQL Injection in SOGo
Plataforma
postgresql
Componente
sogo
Corrigido em
5.12.7
CVE-2026-46445 describes a SQL Injection vulnerability affecting SOGo versions from 0.0.0 up to and including 5.12.7. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability is specifically triggered when SOGo is configured to use a PostgreSQL database. A fix is available in version 5.12.7.
Impacto e Cenários de Ataquetraduzindo…
Successful exploitation of CVE-2026-46445 could allow an attacker to bypass authentication and gain unauthorized access to the SOGo database. This could lead to the exfiltration of sensitive user data, including email content, calendar entries, and contact information. Depending on the database permissions, an attacker might also be able to modify or delete data, potentially disrupting SOGo services or causing data loss. The impact is particularly severe in environments where SOGo is used to manage critical business communications and data.
Contexto de Exploraçãotraduzindo…
CVE-2026-46445 was published on May 14, 2026. Severity is rated as HIGH (CVSS 7.1). There are currently no publicly known exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of the publication date. Monitor security advisories and threat intelligence feeds for any updates.
Inteligência de Ameaças
Status do Exploit
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Alta — exige condição de corrida, configuração não padrão ou circunstâncias específicas.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Baixo — negação de serviço parcial ou intermitente.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-46445 is to upgrade SOGo to version 5.12.7 or later. Before upgrading, it's crucial to review the SOGo release notes for any potential breaking changes and test the upgrade in a non-production environment. As a temporary workaround, consider implementing strict input validation and sanitization on all user-supplied data that is used in SQL queries. While not a complete solution, this can help reduce the attack surface. Additionally, review PostgreSQL database user permissions to ensure they adhere to the principle of least privilege.
Como corrigirtraduzindo…
Actualice SOGo a la versión 5.12.7 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige una falla que permite a atacantes inyectar código SQL malicioso a través de consultas a la base de datos PostgreSQL.
Perguntas frequentestraduzindo…
What is CVE-2026-46445 — SQL Injection in SOGo?
CVE-2026-46445 is a SQL Injection vulnerability affecting SOGo versions 0.0.0 through 5.12.7 when using PostgreSQL. It allows attackers to inject malicious SQL code to potentially access or modify the database.
Am I affected by CVE-2026-46445 in SOGo?
You are affected if you are running SOGo versions 0.0.0 through 5.12.7 and using a PostgreSQL database. Verify your SOGo version and upgrade if necessary.
How do I fix CVE-2026-46445 in SOGo?
Upgrade SOGo to version 5.12.7 or later. Review the release notes for potential breaking changes and test the upgrade in a non-production environment before applying it to production.
Is CVE-2026-46445 being actively exploited?
As of the publication date, there are no publicly known exploits or active campaigns targeting CVE-2026-46445. However, it's crucial to apply the fix promptly to mitigate potential future risks.
Where can I find the official SOGo advisory for CVE-2026-46445?
Refer to the official SOGo security advisories on the SOGo website: [https://www.sogo.nu/security/](https://www.sogo.nu/security/)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...