Description
A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
Published: 2026-05-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting vulnerability in Alinto SOGo 5.12.7 allows a maliciously crafted iCalendar file to inject and execute arbitrary JavaScript in the context of an authenticated webmail session. The flaw occurs because SVG content placed in the calendar description field, especially an onrepeat event handler, is not properly sanitized before rendering, giving the attacker code execution privilege within the victim’s browser. The injected script can grant the attacker access to the user’s mailbox, theft of emails or contacts, session hijacking, and the ability to perform any action that the authenticated user is authorized for.

Affected Systems

Alinto SOGo version 5.12.7 is affected. The issue is fixed in the 5.12.8 release.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1, indicating moderate severity, and it is not listed in CISA KEV. No EPSS score is available. Attackers must deliver a malicious iCalendar file and the victim must be logged into the SOGo webmail interface for exploitation. Once the invite is opened, the injected script runs with the victim’s privileges, allowing compromise of that user’s session and data. The simplicity of this delivery method and the potential for full account compromise make remediation a priority even at moderate severity.

Generated by OpenCVE AI on May 13, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Alinto SOGo to version 5.12.8 or later to remove the vulnerable code path.
  • If an upgrade is not immediately possible, disable SVG rendering or configure the application to strip the onrepeat event handler from calendar descriptions before rendering.
  • Use a content‑filtering or sanitization tool that removes disallowed SVG elements and event handlers from iCalendar files prior to display.
  • Educate users to be cautious when opening calendar invitations from unknown or untrusted sources.

Generated by OpenCVE AI on May 13, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Alinto
Alinto sogo
Vendors & Products Alinto
Alinto sogo

Wed, 13 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
Title A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7
References

Subscriptions

Alinto Sogo
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-13T18:56:18.944Z

Reserved: 2026-05-13T17:31:27.218Z

Link: CVE-2026-8496

cve-icon Vulnrichment

Updated: 2026-05-13T18:56:14.922Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:30.700

Modified: 2026-05-14T16:07:11.137

Link: CVE-2026-8496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses