216.73.217.86

CVE-2026-33755

· Published 27/03/2026 15:16 · Modified 27/03/2026 15:16

Labels: CVE-2026-33755 2026-03-27CVE-2026-33755CWE-89[email protected]

Essential information

Published
27/03/2026 15:16
Modified
27/03/2026 15:16
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
group-office / group-office cpe:2.3:a:group-office:group-office:<6.8.158:*:*:*:*:*:*:*
group-office / group-office cpe:2.3:a:group-office:group-office:<25.0.92:*:*:*:*:*:*:*
group-office / group-office cpe:2.3:a:group-office:group-office:<26.0.17:*:*:*:*:*:*:*

References