Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 554
Alerts This Week
Warning Icon 1 554

Ubuntu SOGo Important Cross-Site Scripting SQL Injection USN-8504-1

ubuntu
Calendar Grey July 6, 2026
Dist Ubuntu Esm H88
Critical updates available for SOGo on various Ubuntu LTS versions to address significant security issues and risks.
Several security issues were fixed in SOGo.

Summary

Several security issues were fixed in SOGo.

Software Description:

- sogo: Open Source Webmail for businesses and communities

Details:

It was discovered that SOGo did not properly sanitize categories used

for events, tasks, and contacts. A remote authenticated attacker could

possibly use this issue to perform cross-site scripting attacks. This

issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04

LTS, and Ubuntu 26.04 LTS. (CVE-2025-71276)

It was discovered that SOGo did not properly sanitize the hint query

parameter. A remote attacker could possibly use this issue to perform

cross-site scripting attacks. This issue only affected Ubuntu 26.04

LTS. (CVE-2026-3054)

It was discovered that SOGo did not renew the one-time password when a

user disabled and re-enabled it, and used a shorter length than

recommended. A remote attacker could possibly use this issue to bypass

authentication. This issue only affected Ubuntu 22.04 LTS and Ubuntu

26.04 LTS. (CVE-2026-33550)

I...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  sogo                            5.12.4-1.2ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-activesync                 5.12.4-1.2ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-common                     5.12.4-1.2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  sogo                            5.5.1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-activesync                 5.5.1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-common                     5.5.1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  sogo                            4.3.0-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-common                     4.3.0-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  sogo                            3.2.10-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-common                     3.2.10-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  sogo                            2.2.17a-1.1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  sogo-common                     2.2.17a-1.1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

After a standard system update you need to restart SOGo to make
all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8504-1

CVE-2021-33054, CVE-2024-34462, CVE-2025-63498, CVE-2025-63499,

CVE-2025-71276, CVE-2026-3054, CVE-2026-33550, CVE-2026-46445,

CVE-2026-46446, CVE-2026-8496, CVE-2026-8851

Severity
important
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8504-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.