6.1

CVE-2026-8496

EPSS 0.05%
Veröffentlicht 13.05.2026 18:02:54
Zuletzt bearbeitet 14.05.2026 16:07:11
Quelle cret@cert.org
CVE-Watchlists
Login
Unerledigt
Login

A cross-site scripting (XSS) vulnerability in Alinto SOGo, version 5.12.7

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version  5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed.  Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerAlinto SOGo

≫

Produkt SOGo

Version 0

Version < 5.12.8

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.139

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86

https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8

https://www.sogo.nu/news/2026/sogo-v5128-released.html

https://nvd.nist.gov/vuln/detail/CVE-2026-8496

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-8496

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-8496

EUVD