Description
SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
Published: 2026-03-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

SOGo versions prior to 5.12.5 contain a flaw that allows an attacker to inject malicious scripts through the names of categories for events, tasks, and contacts. The application concatenates the category data directly into HTML pages without proper escaping, so a crafted category name can trigger arbitrary client‑side code when viewed by a user. This can lead to theft of session cookies, credential hijacking, or redirecting the user to malicious sites.

Affected Systems

The affected product is Alinto’s SOGo mail/calendar application. All releases before version 5.12.5 are vulnerable; upgrading to 5.12.5 or later removes the issue.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity while the EPSS score of less than 1 % shows a low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is through the web interface; an attacker who can supply a crafted category name that the application renders without escaping can execute arbitrary JavaScript in the victim’s browser.

Generated by OpenCVE AI on March 24, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SOGo to version 5.12.5 or later
  • Verify that category names have not been tampered with by untrusted users
  • If immediate upgrade is not possible, restrict or sanitize category creation for unauthenticated users
  • Deploy a web application firewall to detect and block known XSS payloads

Generated by OpenCVE AI on March 24, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unsanitized Category Names Allow Cross‑Site Scripting in SOGo

Mon, 23 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Alinto
Alinto sogo
Vendors & Products Alinto
Alinto sogo

Sun, 22 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Alinto Sogo
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:57:00.835Z

Reserved: 2026-03-22T02:11:49.166Z

Link: CVE-2025-71276

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:25.141Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T03:16:00.233

Modified: 2026-03-23T19:47:35.633

Link: CVE-2025-71276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:45Z

Weaknesses