彙總 alinto 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 跨站腳本、SQL 注入與輸入驗證問題 相關,可能在 軟體部署與生產負載 場景中帶來 工作階段劫持與異常行為 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-46446 | SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin. | [email protected] | 7.1 | 0.24% | 2026-05-14 | 2026-06-17 |
| CVE-2026-46445 | SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection. | [email protected] | 7.1 | 0.24% | 2026-05-14 | 2026-06-17 |
| CVE-2026-33550 | SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended). | [email protected] | 2.0 | 0.14% | 2026-03-21 | 2026-06-17 |
| CVE-2025-71276 | SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories. | [email protected] | 6.4 | 0.14% | 2026-03-21 | 2026-06-17 |
| CVE-2026-3054 | A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.40% | 2026-02-23 | 2026-06-17 |
| CVE-2025-63499 | Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | [email protected] | 6.1 | 0.26% | 2025-12-04 | 2026-06-17 |
| CVE-2025-63498 | alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | [email protected] | 6.1 | 0.24% | 2025-11-24 | 2026-06-17 |
| CVE-2024-24510 | Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component. | [email protected] | 6.1 | 0.45% | 2024-09-09 | 2026-06-17 |
| CVE-2024-34462 | Alinto SOGo through 5.10.0 allows XSS during attachment preview. | [email protected] | 6.1 | 0.34% | 2024-05-04 | 2026-06-17 |
| CVE-2023-48104 | Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. | [email protected] | 6.1 | 1.02% | 2024-01-15 | 2026-06-17 |
| CVE-2020-22402 | Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code. | [email protected] | 6.1 | 0.38% | 2023-06-14 | 2026-06-16 |
| CVE-2022-4558 | A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB | [email protected] | 3.5 | 0.56% | 2022-12-16 | 2026-06-17 |
| CVE-2022-4556 | A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affec | [email protected] | 3.5 | 0.56% | 2022-12-16 | 2026-06-17 |
| CVE-2015-5395 | Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. | [email protected] | 8.8 | 0.90% | 2017-09-20 | 2026-06-16 |
| CVE-2016-6191 | Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. | [email protected] | 6.1 | 1.19% | 2017-02-17 | 2026-06-16 |
| CVE-2016-6189 | Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. | [email protected] | 4.3 | 1.40% | 2017-02-17 | 2026-06-16 |
| CVE-2014-9905 | Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields. | [email protected] | 6.1 | 1.22% | 2017-02-17 | 2026-06-16 |
| CVE-2016-6188 | Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files. | [email protected] | 6.5 | 2.14% | 2017-02-03 | 2026-06-16 |