CVE-2026-33755 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 27, 2026
Group-Office - SQL Injection
Published: March 27, 2026Updated: March 27, 2026Remote Exploitable
Overview
Group-Office < 6.8.158, < 25.0.92, and < 26.0.17 contain an authenticated SQL injection caused by improper input sanitization in the JMAP Contact/query endpoint, letting authenticated users with basic addressbook access extract arbitrary database data including session tokens, exploit requires authentication with basic addressbook access.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated users can extract sensitive data and fully take over any account, including the System Administrator, without knowing passwords.
Mitigation
Upgrade to versions 6.8.158, 25.0.92, or 26.0.17 or later.
Related Resources
Details
- CVE ID
- CVE-2026-33755
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H