Skip to main content

Alinto SOGo CVE-2026-8496

| EUVDEUVD-2026-30134 MEDIUM
2026-05-13 certcc GHSA-5wp7-63mq-392x
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 11:01 vuln.today
Analysis Generated
Jun 08, 2026 - 11:01 vuln.today
Patch available
May 13, 2026 - 20:32 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
6.1 (MEDIUM)
CVE Published
May 13, 2026 - 18:02 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.

AnalysisAI

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.

Technical ContextAI

Alinto SOGo is an open-source Objective-C groupware server and webmail client. The affected code path is the ICS viewer component UIxMailPartICalViewer.m, which renders iCalendar (.ics) invitation content - including the DESCRIPTION field - inside the SOGo webmail interface. Prior to 5.12.8, the sanitization method stringWithoutHTMLInjection in SoObjects/SOGo/NSString+Utilities.m used a piecemeal blocklist strategy: it applied individual NSRegularExpression replacements to mangle specific event handlers ('onload=' → 'onl*=', 'onmouseover=' → 'onmouseo*='). The SVG animation event handler 'onrepeat', which fires each time an SVG SMIL animation loop repeats, was never added to this blocklist, making it a trivially exploitable bypass. Because SVG is an XML-based format that browsers render inline, an attacker can embed a construct such as '<animate onrepeat="malicious_js" ...>' in the DESCRIPTION field of an ICS file and have it execute in the victim's browser when the invite is rendered. The CPE string cpe:2.3:a:alinto_sogo:sogo:*:*:*:*:*:*:*:* indicates all SOGo versions are in scope up to the fix. The 5.12.8 patch replaces the per-handler blocklist with a comprehensive catch-all regex (on\w+)\s*=\s*(["'][^"']*["']|[^\s>]+) that strips any on* attribute event handler, and separately applies sanitization to the rendered content field in the ICalViewer renderer. CWE is listed as N/A in the provided data, but the code evidence maps this unambiguously to improper neutralization of input during web page generation (classic stored/reflected XSS via blocklist bypass).

RemediationAI

Vendor-released patch: SOGo 5.12.8. Administrators should upgrade to SOGo 5.12.8, available at the GitHub release tag https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8 and documented in the vendor announcement at https://www.sogo.nu/news/2026/sogo-v5128-released.html. The fix commit https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86 replaces the piecemeal event-handler blocklist with a comprehensive regex stripping all on* attribute handlers. If an immediate upgrade is not feasible, a compensating control is to configure the mail gateway or spam filter to block or quarantine inbound messages containing ICS attachments from external or untrusted senders; this prevents the malicious payload from reaching the SOGo calendar viewer but will also block all legitimate external calendar invitations, which may be disruptive in collaborative environments. There is no known in-product configuration switch to disable SVG rendering in ICS descriptions without patching.

More in Sogo

View all
CVE-2015-5395 HIGH POC
8.8 Sep 20

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability

CVE-2025-63499 MEDIUM POC
6.1 Dec 04

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

CVE-2025-63498 MEDIUM POC
6.1 Nov 24

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS

CVE-2016-6189 MEDIUM POC
4.3 Feb 17

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in

CVE-2021-33054 HIGH
7.5 Jun 04

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv

CVE-2026-46446 HIGH
7.1 May 14

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa

CVE-2026-46445 HIGH
7.1 May 14

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri

CVE-2016-6188 MEDIUM
6.5 Feb 03

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o

CVE-2025-71276 MEDIUM
6.4 Mar 22

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts

CVE-2014-9905 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i

CVE-2016-6191 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3

CVE-2024-24510 MEDIUM
6.1 Sep 09

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via t

Share

CVE-2026-8496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy