CVE-2026-46446

Daily digests

SOGo before 5.12.7 has a SQL injection bug in its password-change flow when you're using PostgreSQL or MariaDB with cleartext password storage. An attacker who can hit the password change endpoint can inject SQL through the c_password parameter. This only applies if your SOGo instance stores passwords in cleartext, which narrows the blast radius but makes it worse if you're in that camp.

• Daily Digest · May 14, 2026

  OpenTelemetry Azure auth bypass + SOGo SQL injection