CVE-2026-8496
Publication date 13 May 2026
Last updated 6 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| sogo | 26.04 LTS resolute |
Fixed 5.12.4-1.2ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version: CVSS v3.0
Base score
6.1 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8504-1
- SOGo vulnerabilities
- 5 July 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-8496
- https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e8 (SOGo-5.12.8)
- https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86
- https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8
- https://www.sogo.nu/news/2026/sogo-v5128-released.html