CVE-2026-3054

MEDIUM WAF: High

CVSS 6.1 Published: 2026-02-24

CWE-79 CWE-94

A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

WAF Coverage Analysis

Cross-Site Scripting (XSS) High WAF Coverage

OWASP: A03:2021 Injection

941xxx - XSS / XXE

Code Injection Medium WAF Coverage

OWASP: A03:2021 Injection

932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection

Affected Software

Vendor	Product	Version
alinto	sogo	5.12.3
alinto	sogo	5.12.4

References

vuldb.com (Permissions Required, Third Party Advisory, VDB Entry)
vuldb.com (Third Party Advisory, VDB Entry)
vuldb.com (Third Party Advisory, VDB Entry)

Back to CVE Database