Cross-Site Scripting Vulnerability in Alinto SOGo Email Groupware
CVE-2026-3054

5.3MEDIUM

Key Information:

Vendor

Alinto

Status
Sogo
Vendor
CVE Published:
24 February 2026

What is CVE-2026-3054?

A cross-site scripting (XSS) vulnerability exists in versions 5.12.3 and 5.12.4 of Alinto's SOGo email groupware. This issue arises from improper handling of the 'hint' argument, allowing attackers to execute arbitrary scripts in the browsers of unsuspecting users. The exploit can be initiated remotely, meaning that attackers do not need physical access to the system to launch their attacks. Despite the vendor being notified early of this vulnerability, no response was recorded, raising concerns about the product's security posture.

Affected Version(s)

SOGo 5.12.3

SOGo 5.12.4

References

https://vuldb.com/?id.347412
vdb-entrytechnical-description
https://vuldb.com/?ctiid.347412
signaturepermissions-required
https://vuldb.com/?submit.757609
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

erickfernandox (VulDB User)
.