Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Group-Office: Passwords Exposed via SQL Injection in Older Versions
CVE-2026-27832
Summary
Old versions of Group-Office contain a security weakness that could allow an attacker to access sensitive password information. This is a serious issue, as it could be used to gain unauthorized access to the system. To fix this, update to version 26.0.8, 25.0.87, or 6.8.153 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| intermesh | group-office | <= 6.8.153 | – |
| intermesh | group-office | > 25.0.1 , <= 25.0.87 | – |
| intermesh | group-office | > 26.0.1 , <= 26.0.8 | – |
Original title
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the ...
Original description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue.
nvd CVSS3.1
8.8
nvd CVSS4.0
7.1
Vulnerability type
CWE-89
SQL Injection
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026