CVE-2026-3054

NameCVE-2026-3054
DescriptionA vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130878

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sogo (PTS)bullseye5.0.1-4+deb11u1vulnerable
bullseye (security)5.0.1-4+deb11u3vulnerable
bookworm5.8.0-2+deb12u2vulnerable
trixie5.12.1-3+deb13u1vulnerable
forky, sid5.12.4-1.2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sogosource(unstable)(unfixed)1130878

Notes

Fixed by: https://github.com/Alinto/sogo/commit/e821b20f87d1a9757f1d0aff7d1e31703f97054b (SOGo-5.12.5)
Search for package or bug name: Reporting problems