Alerts This Week
Warning Icon 1 1,295
Alerts This Week
Warning Icon 1 1,295

Debian LTS DLA-4657-1 sogo Important SQL Injection XSS Vulnerabilities

debian lts
Calendar Grey June 29, 2026
Dist Debian Esm H88
Debian LTS Advisory DLA-4657-1 addresses critical vulnerabilities in sogo affecting webmail security. Upgrade recommended.

Summary

* CVE-2026-46445: A SQL injection vulnerability when PostgreSQL is
used as the user database.

* CVE-2026-46446: Address a SQL injection vulnerability when MariaDB
or PostgreSQL is used as the user database and passwords are
stored in cleartext.

* CVE-2025-71276: Fix a A Cross-Site Scripting (XSS) vulnerability in
events, tasks and contacts categories.

* CVE-2026-33550: Address a number of Time-Based One-Time Passwords
(TOTP) vulnerabilities, including if a user disables/enables TOTP,
various values not being renewed, and an issue around recommended
TOTP lengths.

* CVE-2026-8496: Fix an issue where a maliciously crafted .ICS
calendar invitation file allowed arbitrary JavaScript execution
within an authenticated webmail session.

* CVE-2026-8851: Fix an SQL injection vulnerability in the access
control list management functionality, which could have allowed
authenticated users to extract arbitrary data from the database by
injecting SQL subqueries through the "uid" parameter of the

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Package: sogo
Version: 5.8.0-2+deb12u3

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here