SOGo
by SOGo
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8851 | Hig | 0.53 | 8.1 | 0.00 | May 18, 2026 | SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls… | ||
| CVE-2015-5395 | Hig | 0.50 | 8.8 | 0.01 | Sep 20, 2017 | Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. | ||
| CVE-2021-33054 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2021 | SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) | ||
| CVE-2024-56963 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Beijing Sogou Technology Development Co., Ltd Sogou Input iOS 12.2.0 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2016-6188 | Med | 0.42 | 6.5 | 0.02 | Feb 3, 2017 | Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files. | ||
| CVE-2020-22402 | Med | 0.40 | 6.1 | 0.00 | Jun 14, 2023 | Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code. | ||
| CVE-2025-50340 | Med | 0.28 | 4.3 | 0.00 | Aug 4, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify… | ||
| CVE-2016-6190 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2017 | SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and… | ||
| CVE-2016-6189 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2017 | Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. | ||
| CVE-2026-33550 | 0.00 | — | 0.00 | Mar 22, 2026 | SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended). | |||
| CVE-2025-71276 | 0.00 | — | 0.00 | Mar 22, 2026 | SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories. |
- risk 0.53cvss 8.1epss 0.00
SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls…
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
- risk 0.49cvss 7.5epss 0.01
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
- risk 0.42cvss 6.5epss 0.00
An issue in Beijing Sogou Technology Development Co., Ltd Sogou Input iOS 12.2.0 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.02
Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.
- risk 0.40cvss 6.1epss 0.00
Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 allows attackers to obtain user sensitive information when a user reads an email containing malicious code.
- risk 0.28cvss 4.3epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify…
- risk 0.28cvss 4.3epss 0.01
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and…
- risk 0.28cvss 4.3epss 0.01
Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
- CVE-2026-33550Mar 22, 2026risk 0.00cvss —epss 0.00
SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).
- CVE-2025-71276Mar 22, 2026risk 0.00cvss —epss 0.00
SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.