Home / mailings [USN-8504-1] SOGo vulnerabilities
Posted on 06 July 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8504-1
July 05, 2026
sogo vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in SOGo.
Software Description:
- sogo: Open Source Webmail for businesses and communities
Details:
It was discovered that SOGo did not properly sanitize categories used
for events, tasks, and contacts. A remote authenticated attacker could
possibly use this issue to perform cross-site scripting attacks. This
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 26.04 LTS. (CVE-2025-71276)
It was discovered that SOGo did not properly sanitize the hint query
parameter. A remote attacker could possibly use this issue to perform
cross-site scripting attacks. This issue only affected Ubuntu 26.04
LTS. (CVE-2026-3054)
It was discovered that SOGo did not renew the one-time password when a
user disabled and re-enabled it, and used a shorter length than
recommended. A remote attacker could possibly use this issue to bypass
authentication. This issue only affected Ubuntu 22.04 LTS and Ubuntu
26.04 LTS. (CVE-2026-33550)
It was discovered that SOGo did not properly use the SQL adaptor for
the user source, resulting in SQL injection when certain databases
were used. A remote authenticated attacker could possibly use this
issue to obtain sensitive information or execute arbitrary SQL
commands. (CVE-2026-46445, CVE-2026-46446)
It was discovered that SOGo did not properly sanitize mail containing
ICS calendar invitations. A remote attacker could possibly use this
issue to perform cross-site scripting attacks. This issue only
affected Ubuntu 26.04 LTS. (CVE-2026-8496)
It was discovered that SOGo did not properly validate identifiers when
managing access control lists. A remote authenticated attacker could
possibly use this issue to perform SQL injection attacks and obtain
sensitive information. (CVE-2026-8851)
It was discovered that SOGo did not properly sanitize the theme
parameter. A remote attacker could possibly use this issue to perform
cross-site scripting attacks. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2025-63499)
It was discovered that SOGo did not properly sanitize the userName
parameter on the login page. A remote attacker could possibly use this
issue to perform cross-site scripting attacks. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2025-63498)
It was discovered that SOGo did not properly sanitize attachments when
previewing them. A remote attacker could possibly use this issue to
perform cross-site scripting attacks. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2024-34462)
It was discovered that SOGo did not validate the signatures of SAML
assertions it received when SAML was used for authentication. A remote
attacker could possibly use this issue to impersonate other users.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and
Ubuntu 20.04 LTS. (CVE-2021-33054)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
sogo 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-activesync 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 5.12.4-1.2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
sogo 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-activesync 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 5.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
sogo 4.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 4.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
sogo 3.2.10-1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 3.2.10-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
sogo 2.2.17a-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
sogo-common 2.2.17a-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
After a standard system update you need to restart SOGo to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8504-1
CVE-2021-33054, CVE-2024-34462, CVE-2025-63498, CVE-2025-63499,
CVE-2025-71276, CVE-2026-3054, CVE-2026-33550, CVE-2026-46445,
CVE-2026-46446, CVE-2026-8496, CVE-2026-8851
--===============2073104771889126326==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
