Skip to main content

Sogo

19 CVEs product

Monthly

CVE-2026-46446 HIGH PATCH This Week

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their password, provided the deployment uses PostgreSQL or MariaDB as the user backend and stores cleartext passwords. The flaw resides in the changePasswordForLogin routine where the new password value is interpolated directly into an UPDATE statement (c_password = '%@'). No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as 'none' - but the patched upstream code (PR #379, fixed in 5.12.7) confirms the vulnerability.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-46445 HIGH PATCH This Week

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-8496 MEDIUM PATCH This Month

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.

XSS Sogo
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33550 LOW PATCH Monitor

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.

Information Disclosure Sogo
NVD GitHub VulDB
CVSS 3.1
2.0
EPSS
0.0%
CVE-2025-71276 MEDIUM PATCH This Month

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts categories that allows authenticated attackers to inject malicious scripts. An attacker with valid SOGo credentials can craft malicious input in these modules that will execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No public exploit code or active exploitation has been documented in known exploit databases, but the vulnerability carries a moderate CVSS score of 6.4 reflecting its requirement for prior authentication combined with its ability to affect confidentiality and integrity across security domain boundaries.

XSS Sogo
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3054 LOW PATCH Monitor

Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.

XSS Sogo
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-63499 MEDIUM POC PATCH This Month

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

XSS Ubuntu Debian Sogo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-63498 MEDIUM POC PATCH This Month

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sogo Debian Linux
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-24510 MEDIUM PATCH This Month

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Sogo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-34462 MEDIUM PATCH This Month

Alinto SOGo through 5.10.0 allows XSS during attachment preview. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Sogo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2022-4558 MEDIUM PATCH This Month

A vulnerability was found in Alinto SOGo up to 5.7.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-4556 MEDIUM PATCH This Month

A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-33054 HIGH This Week

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jwt Attack Sogo Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2015-5395 HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Debian Linux Sogo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2016-6191 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2016-6190 MEDIUM PATCH This Month

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Sogo
NVD GitHub
CVSS 3.0
4.3
EPSS
0.2%
CVE-2016-6189 MEDIUM POC PATCH This Month

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Sogo
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2014-9905 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2016-6188 MEDIUM PATCH This Month

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sogo
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their password, provided the deployment uses PostgreSQL or MariaDB as the user backend and stores cleartext passwords. The flaw resides in the changePasswordForLogin routine where the new password value is interpolated directly into an UPDATE statement (c_password = '%@'). No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as 'none' - but the patched upstream code (PR #379, fixed in 5.12.7) confirms the vulnerability.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queries when the groupware is deployed against a PostgreSQL backend. The flaw stems from improper quoting in the SQLSource authentication and contact-lookup paths, which an attacker can leverage to read or modify data with high confidentiality and integrity impact. No public exploit identified at time of analysis and EPSS is very low (0.03%), but a vendor patch and upstream code fix are available.

SQLi PostgreSQL Sogo
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrary JavaScript within an authenticated victim's SOGo webmail session. Affected versions span all releases prior to 5.12.8; the root cause is an incomplete blocklist sanitizer in NSString+Utilities.m that explicitly blocked only 'onload' and 'onmouseover' event handlers, leaving the SVG animation event 'onrepeat' unfiltered when SVG content appears in an ICS DESCRIPTION field. No public exploit has been identified at time of analysis and CISA SSVC confirms no active exploitation, but the CVSS Scope:Changed rating reflects that successful execution grants the attacker full access to the victim's authenticated session context, enabling mailbox access, contact theft, and session hijacking.

XSS Sogo
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.

Information Disclosure Sogo
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts categories that allows authenticated attackers to inject malicious scripts. An attacker with valid SOGo credentials can craft malicious input in these modules that will execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No public exploit code or active exploitation has been documented in known exploit databases, but the vulnerability carries a moderate CVSS score of 6.4 reflecting its requirement for prior authentication combined with its ability to affect confidentiality and integrity across security domain boundaries.

XSS Sogo
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Cross-site scripting (XSS) via the hint parameter in Alinto SOGo 5.12.3/5.12.4 allows unauthenticated remote attackers to inject malicious scripts through a user-interactive attack vector. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. The impact is limited to integrity compromise with no confidentiality or availability impact.

XSS Sogo
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

XSS Ubuntu Debian +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Sogo Debian Linux
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Sogo
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Alinto SOGo through 5.10.0 allows XSS during attachment preview. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Sogo
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A vulnerability was found in Alinto SOGo up to 5.7.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH This Week

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jwt Attack Sogo +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Debian Linux Sogo
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Sogo
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Sogo
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Sogo
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Sogo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy