Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue.
Published: 2026-02-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure via Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Group‑Office contains an authenticated blind boolean‑based SQL injection in the advancedQueryData comparator field of the email template selection endpoint, allowing attackers to exfiltrate contents of the core_auth_password table. This is a classic injection flaw (CWE‑89) that can lead to compromise of user passwords and creation of a foothold for further attacks.

Affected Systems

The vulnerability exists in Intermesh Group‑Office versions prior to 26.0.8, 25.0.87, and 6.8.153. All affected releases prior to these fixed versions can be impacted by the flaw.

Risk and Exploitability

With a CVSS score of 7.1 and an EPSS probability of less than 1 %, the flaw is moderately high-risk but unlikely to be widely exploited currently; it is not listed in CISA's KEV catalog. The attack requires authenticated access to the application and leverages the unchecked comparator field to conduct blinded data extraction, potentially over multiple requests.

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Group‑Office to at least version 26.0.8, 25.0.87, or 6.8.153 to apply the vendor's fix.
  • Restrict the email template selection endpoint to privileged roles only, enforcing a stricter role‑based access control policy.
  • Deploy a Web Application Firewall or similar perimeter security to detect and block blind SQL injection patterns targeting advancedQueryData.

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.php?r=email/template/emailSelection` processes `advancedQueryData` and forwards the SQL comparator without a strict allowlist into SQL condition building. This enables blind boolean-based exfiltration of the `core_auth_password` table. Versions 26.0.8, 25.0.87, and 6.8.153 fix the issue.
Title Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T12:56:47.385Z

Reserved: 2026-02-24T02:32:39.800Z

Link: CVE-2026-27832

cve-icon Vulnrichment

Updated: 2026-03-02T12:56:42.822Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:40.150

Modified: 2026-03-04T16:10:29.793

Link: CVE-2026-27832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses