CVE-2026-8496

Publication date 13 May 2026

Last updated 6 July 2026


Ubuntu priority

Cvss 3 Severity Score

6.1 · Medium

Score breakdown

Description

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.

Status

Package Ubuntu Release Status
sogo 26.04 LTS resolute
Fixed 5.12.4-1.2ubuntu0.1~esm1
25.10 questing
Vulnerable
24.04 LTS noble Not in release
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Severity score breakdown

CVSS version: CVSS v3.0

Base score 6.1 · Medium

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


Access our resources on patching vulnerabilities