CVE-2026-33755

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33755

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33755.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33755

Aliases

GHSA-3gc4-5993-c2qc

Published

2026-03-27T14:08:38.685Z

Modified

2026-04-10T05:42:56.367181Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Authenticated SQL Injection in Contact/query addressBookIds filter

Details

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33755.json"
}

References

Affected packages

Git / github.com/intermesh/groupoffice

Affected ranges

Type

GIT

Repo

https://github.com/intermesh/groupoffice

Events

Introduced

Fixed

6273bfec71c8a6226aaacf36a9ef8262e4dab6f1

Fixed

9ce38e88f8108a893b1b45a94158698551f011bc

Fixed

0df2aa72e87edcab9756b91b54f03e019d7ce304

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.8.158"
        },
        {
            "fixed": "25.0.92"
        },
        {
            "fixed": "26.0.17"
        }
    ]
}

Affected versions

v25.*

v25.0.10

v25.0.11

v25.0.12

v25.0.14

v25.0.15

v25.0.16

v25.0.20

v25.0.21

v25.0.22

v25.0.23

v25.0.25

v25.0.27

v25.0.28

v25.0.29

v25.0.30

v25.0.32

v25.0.34

v25.0.35

v25.0.36

v25.0.37

v25.0.38

v25.0.39

v25.0.40

v25.0.46

v25.0.47

v25.0.48

v25.0.49

v25.0.50

v25.0.51

v25.0.52

v25.0.53

v25.0.55

v25.0.56

v25.0.58

v25.0.59

v25.0.61

v25.0.62

v25.0.64

v25.0.66

v25.0.67

v25.0.68

v25.0.69

v25.0.70

v25.0.71

v25.0.72

v25.0.74

v25.0.75

v25.0.76

v25.0.78

v25.0.79

v25.0.80

v25.0.81

v25.0.82

v25.0.83

v25.0.84

v25.0.85

v25.0.86

v25.0.87

v25.0.89

v25.0.9

v25.0.90

v25.0.91

v26.*

v26.0.13

v26.0.14

v26.0.15

v26.0.16

v26.0.4

v26.0.5

v26.0.6

v26.0.7

v26.0.9

v6.*

v6.3.1

v6.3.10

v6.3.11

v6.3.12

v6.3.14

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.4.23

v6.4.25

v6.4.26

v6.4.27

v6.4.28

v6.4.29

v6.4.30

v6.4.31

v6.4.32

v6.4.33

v6.4.34

v6.4.35

v6.4.36

v6.4.37

v6.4.38

v6.4.39

v6.4.40

v6.4.41

v6.4.42

v6.4.43

v6.4.44

v6.4.49

v6.4.50

v6.4.51

v6.5.30

v6.5.31

v6.5.32

v6.5.33

v6.5.34

v6.5.35

v6.5.36

v6.5.37

v6.5.38

v6.5.39

v6.5.41

v6.5.42

v6.5.43

v6.5.44

v6.5.45

v6.5.46

v6.5.47

v6.5.48

v6.5.49

v6.5.50

v6.5.51

v6.5.52

v6.5.53

v6.5.54

v6.5.55

v6.5.56

v6.5.57

v6.5.58

v6.5.59

v6.5.60

v6.5.61

v6.5.62

v6.5.63

v6.5.64

v6.5.65

v6.5.66

v6.5.67

v6.5.68

v6.5.69

v6.5.70

v6.5.71

v6.5.72

v6.5.73

v6.5.74

v6.5.75

v6.5.76

v6.5.77

v6.5.78

v6.5.79

v6.5.80

v6.5.81

v6.5.82

v6.5.84

v6.5.85

v6.5.86

v6.5.88

v6.5.89

v6.5.90

v6.5.91

v6.5.92

v6.5.93

v6.5.95

v6.5.96

v6.6.100

v6.6.102

v6.6.103

v6.6.104

v6.6.105

v6.6.106

v6.6.107

v6.6.110

v6.6.117

v6.6.118

v6.6.119

v6.6.124

v6.6.125

v6.6.126

v6.6.127

v6.6.128

v6.6.129

v6.6.130

v6.6.131

v6.6.132

v6.6.133

v6.6.134

v6.6.135

v6.6.136

v6.6.137

v6.6.138

v6.6.139

v6.6.140

v6.6.141

v6.6.143

v6.6.27

v6.6.28

v6.6.29

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.70

v6.6.71

v6.6.72

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7.10

v6.7.11

v6.7.12

v6.7.13

v6.7.14

v6.7.15

v6.7.17

v6.7.19

v6.7.20

v6.7.22

v6.7.24

v6.7.25

v6.7.26

v6.7.27

v6.7.28

v6.7.29

v6.7.30

v6.7.31

v6.7.32

v6.7.33

v6.7.35

v6.7.36

v6.7.37

v6.7.38

v6.7.39

v6.7.40

v6.7.41

v6.7.42

v6.7.43

v6.7.44

v6.7.8

v6.7.9

v6.8.10

v6.8.100

v6.8.101

v6.8.102

v6.8.104

v6.8.105

v6.8.106

v6.8.107

v6.8.109

v6.8.11

v6.8.114

v6.8.116

v6.8.117

v6.8.118

v6.8.12

v6.8.120

v6.8.121

v6.8.122

v6.8.123

v6.8.124

v6.8.125

v6.8.126

v6.8.127

v6.8.128

v6.8.129

v6.8.130

v6.8.131

v6.8.132

v6.8.133

v6.8.134

v6.8.135

v6.8.139

v6.8.14

v6.8.141

v6.8.142

v6.8.146

v6.8.147

v6.8.15

v6.8.150

v6.8.151

v6.8.152

v6.8.153

v6.8.154

v6.8.155

v6.8.157

v6.8.16

v6.8.17

v6.8.18

v6.8.19

v6.8.21

v6.8.23

v6.8.24

v6.8.25

v6.8.26

v6.8.28

v6.8.29

v6.8.30

v6.8.31

v6.8.32

v6.8.33

v6.8.34

v6.8.35

v6.8.37

v6.8.38

v6.8.39

v6.8.40

v6.8.41

v6.8.42

v6.8.43

v6.8.44

v6.8.45

v6.8.47

v6.8.49

v6.8.50

v6.8.54

v6.8.56

v6.8.57

v6.8.58

v6.8.59

v6.8.6

v6.8.60

v6.8.61

v6.8.62

v6.8.63

v6.8.64

v6.8.66

v6.8.69

v6.8.7

v6.8.70

v6.8.73

v6.8.76

v6.8.77

v6.8.79

v6.8.83

v6.8.84

v6.8.85

v6.8.87

v6.8.88

v6.8.9

v6.8.90

v6.8.93

v6.8.94

v6.8.95

v6.8.96

v6.8.97

v6.8.98

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33755.json"