Home / Vulnerability Intelligence / CVE-2026-33755

CVE-2026-33755 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 30, 2026

Group-Office - SQL Injection

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

Group-Office < 6.8.158, < 25.0.92, and < 26.0.17 contain an authenticated SQL injection caused by improper input sanitization in the JMAP Contact/query endpoint, letting authenticated users with basic addressbook access extract arbitrary database data including session tokens, exploit requires authentication with basic addressbook access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users can extract sensitive data and fully take over any account, including the System Administrator, without knowing passwords.

Mitigation

Upgrade to versions 6.8.158, 25.0.92, or 26.0.17 or later.

References

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-33755 - High (8.8) Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user wit... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33755/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33755
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: unconfirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days