CVE-2026-8851

HIGH 8.1

SOGo < 5.12.8 SQL Injection via addUserInAcls endpoint

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

7th

SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

CWE	CWE-89
Vendor	alinto
Product	sogo webmail
Published	May 18, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for alinto sogo webmail

Be the first to know when new high vulnerabilities affecting alinto sogo webmail are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Alinto / SOGo Webmail

0 ≤ 5.12.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8 sogo.nu: https://www.sogo.nu/news/2026/sogo-v5128-released.html vulncheck.com: https://www.vulncheck.com/advisories/sogo-sql-injection-via-adduserinacls-endpoint

Credits

dninh of SACOMBANK