Description
A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Assess
AI Analysis

Impact

The vulnerability located in Alinto SOGo 5.12.3 and 5.12.4 allows an attacker to inject arbitrary script code into web pages through manipulation of the "hint" argument. Because the injection point is rendered without proper encoding, an attacker can run scripts in the victim's browser session, leading to possible session hijacking, phishing, or data theft. The weakness is identified as a classic reflected XSS (CWE‑79) combined with unsafe code execution pathways (CWE‑94). The defacement originates from an unspecified internal function that processes the hint parameter.

Affected Systems

The affected product is Alinto SOGo versions 5.12.3 and 5.12.4. No other vendor or product versions are listed in the advisory.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is less than 1% which suggests a relatively low probability of exploitation. The flaw is remote and publicly exploitable, meaning an attacker only needs a user to visit a crafted URL or interact with malicious content. Although the risk appears moderate and the vulnerability is not listed in the CISA KEV catalog, the lack of an official vendor fix necessitates proactive remediation if the software is in use.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Alinto has released a newer SOGo version or a patch that addresses this XSS issue; if available, upgrade or apply the patch immediately.
  • If no patch is available, apply rigorous server‑side input validation and output encoding to the "hint" parameter so that injected scripts are neutralized before rendering.
  • Deploy a strict Content Security Policy that blocks inline script execution and limits script sources to trusted origins, thereby reducing the impact of any residual injection.
  • Configure a Web Application Firewall to detect and block malicious payloads aimed at the hint argument.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alinto:sogo:5.12.3:*:*:*:*:*:*:*
cpe:2.3:a:alinto:sogo:5.12.4:*:*:*:*:*:*:*

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Alinto SOGo cross site scripting
First Time appeared Alinto
Alinto sogo
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*
Vendors & Products Alinto
Alinto sogo
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Alinto Sogo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T20:45:48.226Z

Reserved: 2026-02-23T17:54:56.109Z

Link: CVE-2026-3054

cve-icon Vulnrichment

Updated: 2026-02-24T20:44:29.843Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:02.977

Modified: 2026-02-28T01:36:15.960

Link: CVE-2026-3054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses