CVE-2026-3054

A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/alinto/sogo

Affected ranges

Type

GIT

Repo

https://github.com/alinto/sogo

Events

Introduced

Last affected

b69ef6d7a58da32954fed6636aed18524137b017

Introduced

Last affected

f18e3a05c3aed1a3b3ee0f5696627e031ac2aebe

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.12.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.12.4"
        }
    ]
}

Affected versions

SOGo-2.*

SOGo-2.0.1

SOGo-2.0.2

SOGo-2.2.17a

SOGo-2.2.20

SOGo-2.3.0

SOGo-3.*

SOGo-3.0.0

SOGo-3.0.0b1

SOGo-3.0.0b2

SOGo-3.0.0b3

SOGo-3.0.0b4

SOGo-3.0.0b5

SOGo-3.0.1

SOGo-3.0.2

SOGo-3.1.0

SOGo-3.1.2

SOGo-3.1.3

SOGo-3.1.4

SOGo-3.1.5

SOGo-3.2.0

SOGo-3.2.1

SOGo-3.2.10

SOGo-3.2.2

SOGo-3.2.3

SOGo-3.2.4

SOGo-3.2.5

SOGo-3.2.6a

SOGo-3.2.7

SOGo-3.2.8

SOGo-3.2.9

SOGo-4.*

SOGo-4.0.0

SOGo-4.0.1

SOGo-4.0.2

SOGo-4.0.3

SOGo-4.0.4

SOGo-4.0.5

SOGo-4.0.6

SOGo-4.0.7

SOGo-4.0.8

SOGo-4.1.0

SOGo-4.1.1

SOGo-4.2.0

SOGo-4.3.0

SOGo-4.3.1

SOGo-4.3.2

SOGo-5.*

SOGo-5.0.0

SOGo-5.0.1

SOGo-5.1.0

SOGo-5.1.1

SOGo-5.10.0

SOGo-5.11.0

SOGo-5.11.1

SOGo-5.11.2

SOGo-5.12.0

SOGo-5.12.1

SOGo-5.12.2

SOGo-5.12.3

SOGo-5.12.4

SOGo-5.2.0

SOGo-5.3.0

SOGo-5.4.0

SOGo-5.5.0

SOGo-5.5.1

SOGo-5.6.0

SOGo-5.7.0

SOGo-5.7.1

SOGo-5.8.0

SOGo-5.8.1

SOGo-5.8.2

SOGo-5.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3054.json"