SOGo versions prior to 5.12.7 contain a flaw in the changePasswordForLogin routine that accepts user supplied password values without adequate sanitization. This oversight allows an attacker to inject SQL fragments through the c_password field, leading to arbitrary execution of SQL statements on the underlying PostgreSQL or MariaDB database. The consequence is that an attacker could read, modify, or delete data stored in the database, compromising confidentiality, integrity, and potentially availability of email services.

The vulnerability affects the Alinto SOGo email and calendar server when it is configured to use PostgreSQL or MariaDB with cleartext password storage. All deployments running any version earlier than 5.12.7 are susceptible unless the application has been patched or the password storage mechanism altered. The specific product name is SOGo, and the vendor is Alinto.

The CVSS score of 7.1 indicates a high severity risk. While a specific EPSS score is not available, the lack of KEV listing suggests no widespread exploitation has been reported yet. Nevertheless, the flaw can be leveraged remotely through the password‑change endpoint, assuming the attacker can obtain a valid session or authentication token. The inherent attack vector relies on the ability to submit crafted input to the service, implying that unsecured or exposed endpoints could facilitate exploitation. Users should treat this as a serious threat, especially in environments where attackers might gain temporary authenticated access.