The Alinto team is pleased to announce the immediate availability of SOGo v5.12.7. This is a major release as it fix major vulnerabilities.

IMPORTANT

Two major vulnerabilities have been reported and fixed in this version 5.12.7 or since the nightly of the 26th March 2026: sogo_5.12.6.20260326. Difficult to
say from which specific version those vulnerabilities were there so, assume that any version below 5.12.7 are affected.

Those vulnerabilities only affect your system if you are with a specific configuration, detailed below.

Please read carefully and update immediately if you match one of these cases.

Vulnerability 1

• You have at least one user source of kind: PostgreSQL

Vulnerability 2

• You have at least one user source of kind: sql (Mariadb or PosgtgreSQL)
• Your password are stored in plain text in your user source: userPasswordAlgorithm = none, plain or cleartext

If your system is not within one of these cases, meaning you're using ldap user source or mariadb with encrypted password, you're safe and this update is not mandatory.

The Alinto team is pleased to announce the immediate availability of SOGo v5.12.6. This is a minor release of SOGo that fix a regression from 5.12.5.

Regression on 5.12.5

The regression is on the 5.12.5 and nightly from 26th February to 20th March.

New user added to your user source could not set up the totp.

If they do it:

• everything works and seems fine
• if they logout and login again, instead of seeing a prompt to enter the totp code, they will have a message
  Two-factor authentication has been disabled. Visit the Preferences module to restore two-factor authentication and reconfigure your TOTP application.
• Then they will be redirected to their mail view normally. With their totp disabled

Fix

• vulnerability: new user can properly use totp (623f08)

The Alinto team is pleased to announce the immediate availability of SOGo v5.12.5. This is a minor release of SOGo with bug fixes.

Several vulnerability fixes

Thanks to the community to find them and report them. If it happens, you can send a mail to [email protected].

• vulnerability: prevent javascript injection with hint query (e821b20)
• vulnerability: prevent sogo to execute scripts in theme query (16ab99e)
• vulnerability: prevent xss with events, tasks and contacts categories (e9b3f2a)
• vulnerability: properly change the totp code after disabling it (83d4c52)

Bug Fixes

• contact: research with two dots like Ä now works
• db: increase some column size for new databases (f8638a3)
• encryptedUrl: fix cache key data and expect uncrypted name for freebusy (95efe73)
• event: also add jitsi url in the location as outlook doesn't support attach url (7876013)
• identity: fix signature when changing identity (71d865b)
• login: prevent user search for login keyword (6f91600)
• Mail: correctly update quota when refreshing (af984f5)
• mail: use the correct replyTo when set to a non*default identity (03fa91d)
• minsearch: fix instance of minsearch (d7e5165)
• tool: rename-user properly change data in c_defaults and c_settings (d69f55c)
• trad: typo in a translation key (e2b8494)
• ui: prevent UI to search for users with empty string (389e8e6)