SOGo

vSOGo-5.12.8 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 22d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

angularjs-material groupware objective-c sogo

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

The SOGo 5.12.8 release patches two XSS injection flaws in mail handling and one SQL injection flaw affecting the database layer.

Why it matters: Patch to SOGo-5.12.8 immediately to remediate CVE‑level XSS (mail) and SQL injection risks.

Summary

AI summary

Fixed two XSS injections and a SQL injection vulnerability in SOGo.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fixes two possible XSS injections with malicious mail. Fixes two possible XSS injections with malicious mail. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes one possible SQL injection with specific request. Fixes one possible SQL injection with specific request. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes impersonification vulnerability when using OpenID with non-matching user source. Fixes impersonification vulnerability when using OpenID with non-matching user source. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

The Alinto team is pleased to announce the immediate availability of SOGo v5.12.8. This is a major release as it fixes security vulnerabilities.

IMPORTANT

Four major vulnerabilities have been reported and fixed in this version 5.12.8 or since the nightly of the 8th of May 2026: sogo_5.12.7.20260508.

Those vulnerabilities affect any previous SOGO version. Please update as soon as possible

CVE ID will be updated once they're created

Affect anyone

2 possible XSS injections with malicious mail: fixed.
1 possible SQL injection with specific request: fixed.

Affect SOGo when using OpenID with a non-matching usersource

Impersonification with untrusted user source: fixed

Regression

Some regression, mainly on the mail view, can happen. If you find any, please report them https://bugs.sogo.nu

Thanks

Thanks a lot, to the reporters for having found and investigated them and validated the fixes!

dninh of SACOMBANK for the SQL injection.
Luke H for one XSS injection.
Greg Lesnewich from Proofpoint Threat Research for one XSS injection.
The last one was found by us, Alinto.

Security Fixes

CVE pending: fixed two XSS injection vulnerabilities via malicious mail.
CVE pending: fixed SQL injection vulnerability with specific request.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track SOGo

Get notified when new releases ship.

About SOGo

SOGo offers multiple ways to access the calendaring and messaging data. CalDAV, CardDAV, GroupDAV, as well as ActiveSync, including native Outlook compatibility and Web interface.

All releases →