Skip to main content

Sogo CVE-2025-71276

| EUVDEUVD-2025-208920 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-22 mitre
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 22, 2026 - 02:30 euvd
EUVD-2025-208920
Analysis Generated
Mar 22, 2026 - 02:30 vuln.today
CVE Published
Mar 22, 2026 - 02:11 nvd
MEDIUM 6.4

DescriptionCVE.org

SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.

AnalysisAI

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts categories that allows authenticated attackers to inject malicious scripts. An attacker with valid SOGo credentials can craft malicious input in these modules that will execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No public exploit code or active exploitation has been documented in known exploit databases, but the vulnerability carries a moderate CVSS score of 6.4 reflecting its requirement for prior authentication combined with its ability to affect confidentiality and integrity across security domain boundaries.

Technical ContextAI

The vulnerability exists in the SOGo groupware suite (Alinto SOGo, CPE: cpe:2.3:a:alinto:sogo), which is a collaborative calendaring, messaging, and contact management application written in Objective-C and JavaScript. The XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs in the web interface layers handling events, tasks, and contacts data where user-supplied input is not properly sanitized or encoded before being rendered in HTML responses. This allows an authenticated user to bypass client-side and server-side input validation mechanisms by injecting JavaScript payloads through these three specific categories, which are then executed when other users interact with the affected objects.

RemediationAI

Upgrade SOGo to version 5.12.5 or later immediately. The patch is available from Alinto in their GitHub repository (https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1) and should be deployed as the primary remediation. Organizations unable to patch immediately should implement network-level controls including: restricting SOGo access to authenticated corporate networks via VPN or firewall rules, disabling direct internet access to the application, implementing strict Content Security Policy (CSP) headers to prevent inline script execution, and monitoring for suspicious activity in event, task, and contact creation logs. Additionally, educate users to avoid clicking links or viewing untrusted events/tasks/contacts from external sources until patching is complete.

More in Sogo

View all
CVE-2015-5395 HIGH POC
8.8 Sep 20

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability

CVE-2025-63499 MEDIUM POC
6.1 Dec 04

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

CVE-2025-63498 MEDIUM POC
6.1 Nov 24

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS

CVE-2016-6189 MEDIUM POC
4.3 Feb 17

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in

CVE-2021-33054 HIGH
7.5 Jun 04

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv

CVE-2026-46446 HIGH
7.1 May 14

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa

CVE-2026-46445 HIGH
7.1 May 14

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri

CVE-2016-6188 MEDIUM
6.5 Feb 03

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o

CVE-2014-9905 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i

CVE-2016-6191 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3

CVE-2026-8496 MEDIUM
6.1 May 13

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrar

CVE-2024-24510 MEDIUM
6.1 Sep 09

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via t

Vendor StatusVendor

Debian

Bug #1131605
sogo
Release Status Fixed Version Urgency
bullseye vulnerable 5.0.1-4+deb11u1 -
bullseye (security) vulnerable 5.0.1-4+deb11u3 -
bookworm vulnerable 5.8.0-2+deb12u2 -
trixie vulnerable 5.12.1-3+deb13u1 -
forky, sid vulnerable 5.12.4-1.2 -
(unstable) fixed (unfixed) -

Share

CVE-2025-71276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy