DEBIAN-CVE-2026-46446

Source
https://security-tracker.debian.org/tracker/CVE-2026-46446
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-46446
Upstream
Published
2026-05-14T04:17:03.547Z
Modified
2026-06-30T16:00:09.375020241Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
[none]
Details

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

References

Affected packages

Debian:11 / sogo

Package

Name
sogo
Purl
pkg:deb/debian/sogo?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.0.1-4
5.0.1-4+deb11u1
5.0.1-4+deb11u2
5.0.1-4+deb11u3
5.1.0-1
5.1.1-1
5.2.0-1
5.2.0-2
5.2.0-3
5.3.0-1
5.4.0-1
5.5.0-1
5.5.1-1
5.6.0-1
5.7.0-1
5.7.1-1
5.7.1-2
5.7.1-3
5.8.0-1
5.8.2-1
5.8.3-1
5.8.4-1
5.9.0-1
5.9.1-1
5.10.0-1
5.10.0-2
5.10.0-3
5.11.0-1
5.11.0-2
5.11.1-1
5.11.2-1
5.11.2-2
5.11.2-3
5.11.2-4
5.12.0-1
5.12.1-1
5.12.1-2
5.12.1-3
5.12.3-1
5.12.3-2
5.12.4-1
5.12.4-1.1
5.12.4-1.2
5.12.6-1
5.12.7-1
5.12.8-1
5.12.8-2
5.12.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json"

Debian:12 / sogo

Package

Name
sogo
Purl
pkg:deb/debian/sogo?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.0-2+deb12u3

Affected versions

5.*
5.8.0-1
5.8.0-2+deb12u1
5.8.0-2+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json"

Debian:13 / sogo

Package

Name
sogo
Purl
pkg:deb/debian/sogo?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.12.1-3+deb13u2

Affected versions

5.*
5.12.1-3
5.12.1-3+deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json"

Debian:14 / sogo

Package

Name
sogo
Purl
pkg:deb/debian/sogo?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.12.7-1

Affected versions

5.*
5.12.1-3
5.12.3-1
5.12.3-2
5.12.4-1
5.12.4-1.1
5.12.4-1.2
5.12.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-46446.json"