CVE-2026-2236
Description
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-2236 is an unauthenticated SQL injection in HGiga C&Cm@il allowing remote attackers to read database contents.
Vulnerability
Overview CVE-2026-2236 is a SQL injection vulnerability in HGiga's C&Cm@il email suite, specifically in the olln-base package prior to version 7.0-978. The flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands, enabling them to read database contents [1][2]. This vulnerability is distinct from CVE-2026-2235, which requires authentication, and CVE-2026-2234, a missing authentication issue [1][2].
Attack
Vector and Prerequisites The attack vector is network-based with low complexity, requiring no privileges or user interaction (CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) [1][2]. An attacker can exploit this by sending crafted HTTP requests to the vulnerable endpoint, bypassing authentication checks to execute arbitrary SQL statements against the backend database.
Impact
Successful exploitation allows an attacker to read sensitive data stored in the database, such as user credentials, email content, or other confidential information. The confidentiality impact is high, while integrity and availability are not directly affected [1][2].
Mitigation
The vendor has released a fix in olln-base version 7.0-978 or later. Users are advised to update immediately [1][2]. No workarounds have been publicly documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.