[From nobody Wed Mar 25 12:51:07 2026 Received: (at submit) by bugs.debian.org; 15 Mar 2026 15:20:59 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=4.0 tests=BAYES_00,FROMDEVELOPER, NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 128; neutral, 47; spammy, 2. spammytokens:0.942-+--H*r:bugs.debian.org, 0.906-+--site hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug Return-path: <carnil@debian.org> Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <carnil@debian.org>) id 1w1nH0-0086dt-1V for submit@bugs.debian.org; Sun, 15 Mar 2026 15:20:59 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: sogo: CVE-2026-3054 Message-ID: <177358805755.3597376.2528719404454885100.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Sun, 15 Mar 2026 16:20:57 +0100 Delivered-To: submit@bugs.debian.org Source: sogo Version: 5.12.4-1.2 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for sogo. CVE-2026-3054[0]: | A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This | impacts an unknown function. The manipulation of the argument hint | leads to cross site scripting. The attack can be initiated remotely. | The exploit is publicly available and might be used. The vendor was | contacted early about this disclosure but did not respond in any | way. The current information looks that sogo upstream was contacted but did not reacted or commented on the issue? Can you try to check what is their take on that report? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3054 https://www.cve.org/CVERecord?id=CVE-2026-3054 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ]