SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.
{ "urgency": "not yet assigned" }
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json"