HGiga Patches Critical Authentication Bypass and SQL Injection Flaws in C&Cm@il

HGiga released security updates for its C&Cm@il platform to patch three vulnerabilities, including a critical missing authentication flaw. These issues allow attackers to bypass security controls, access sensitive email data, and manipulate database records.

Vulnerabilities summary (in Chinese):

• CVE-2026-2234 (CVSS score 9.1) - A missing authentication vulnerability that allows unauthenticated remote attackers to access administrative functions. By bypassing identity verification, an attacker can read or modify the email content of any user on the system.
• CVE-2026-2236 (CVSS score 7.5) - An unauthenticated SQL injection vulnerability that enables remote attackers to run arbitrary SQL commands against the backend database. Attackers can use this to extract sensitive information from the database without needing valid credentials.
• CVE-2026-2235 (CVSS score 6.5) - An authenticated SQL injection vulnerability where a user with low-level access can execute arbitrary SQL queries. This allows an attacker to escalate their data access capabilities to read sensitive database contents that should be restricted.

The vulnerabilities affect the HGiga C&Cm@il olln-base package. All versions prior to 7.0-978 are considered vulnerable and should be treated as high-risk assets.

HGiga has released version 7.0-978 of the olln-base package to patch these security flaws. Administrators should apply the update immediately and monitor system logs for any signs of unauthorized access or unusual SQL query patterns. In addition to patching, organizations should ensure the mail server is protected by a web application firewall (WAF) to help block potential injection attempts and restrict administrative access to trusted IP ranges.