CVE-2026-3054
Publication date 24 February 2026
Last updated 6 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| sogo | 26.04 LTS resolute |
Fixed 5.12.4-1.2ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version:
Base score
2.1 · Low
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Base score
4.3 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8504-1
- SOGo vulnerabilities
- 5 July 2026