Home / mailingsPDF  

[USN-8504-1] SOGo vulnerabilities

Posted on 06 July 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8504-1
July 05, 2026

sogo vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in SOGo.

Software Description:
- sogo: Open Source Webmail for businesses and communities

Details:

It was discovered that SOGo did not properly sanitize categories used
for events, tasks, and contacts. A remote authenticated attacker could
possibly use this issue to perform cross-site scripting attacks. This
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 26.04 LTS. (CVE-2025-71276)

It was discovered that SOGo did not properly sanitize the hint query
parameter. A remote attacker could possibly use this issue to perform
cross-site scripting attacks. This issue only affected Ubuntu 26.04
LTS. (CVE-2026-3054)

It was discovered that SOGo did not renew the one-time password when a
user disabled and re-enabled it, and used a shorter length than
recommended. A remote attacker could possibly use this issue to bypass
authentication. This issue only affected Ubuntu 22.04 LTS and Ubuntu
26.04 LTS. (CVE-2026-33550)

It was discovered that SOGo did not properly use the SQL adaptor for
the user source, resulting in SQL injection when certain databases
were used. A remote authenticated attacker could possibly use this
issue to obtain sensitive information or execute arbitrary SQL
commands. (CVE-2026-46445, CVE-2026-46446)

It was discovered that SOGo did not properly sanitize mail containing
ICS calendar invitations. A remote attacker could possibly use this
issue to perform cross-site scripting attacks. This issue only
affected Ubuntu 26.04 LTS. (CVE-2026-8496)

It was discovered that SOGo did not properly validate identifiers when
managing access control lists. A remote authenticated attacker could
possibly use this issue to perform SQL injection attacks and obtain
sensitive information. (CVE-2026-8851)

It was discovered that SOGo did not properly sanitize the theme
parameter. A remote attacker could possibly use this issue to perform
cross-site scripting attacks. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2025-63499)

It was discovered that SOGo did not properly sanitize the userName
parameter on the login page. A remote attacker could possibly use this
issue to perform cross-site scripting attacks. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2025-63498)

It was discovered that SOGo did not properly sanitize attachments when
previewing them. A remote attacker could possibly use this issue to
perform cross-site scripting attacks. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2024-34462)

It was discovered that SOGo did not validate the signatures of SAML
assertions it received when SAML was used for authentication. A remote
attacker could possibly use this issue to impersonate other users.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and
Ubuntu 20.04 LTS. (CVE-2021-33054)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
sogo 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-activesync 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
sogo 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-activesync 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
sogo 4.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 4.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
sogo 3.2.10-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 3.2.10-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
sogo 2.2.17a-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 2.2.17a-1.1ubuntu0.1~esm1
Available with Ubuntu Pro

After a standard system update you need to restart SOGo to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8504-1
CVE-2021-33054, CVE-2024-34462, CVE-2025-63498, CVE-2025-63499,
CVE-2025-71276, CVE-2026-3054, CVE-2026-33550, CVE-2026-46445,
CVE-2026-46446, CVE-2026-8496, CVE-2026-8851

--===============2073104771889126326==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP