CVE-2026-2236
7.5 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A vulnerability in HGiga's C&Cm@il software allows attackers to run their own database commands without needing a password. This is a serious flaw because it directly exposes sensitive data stored in the application.
Who is affected
Any organization using the vulnerable version of C&Cm@il is affected. An attacker could steal all data from the application's database, such as user information and emails.
Recommended fix
Immediately apply the security patch provided by HGiga. If a patch is not yet available, implement a web application firewall (WAF) with SQL injection rules as a temporary mitigation.
Technical Description
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-89