VYPR
Vendor

Alinto

Products
2
CVEs
21
Across products
22
Status
Private

Products

2

Recent CVEs

21
View all 21 CVEs →
  • CVE-2026-8851HigMay 18, 2026
    risk 0.53cvss 8.1epss 0.00

    SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls…

  • CVE-2015-5395HigSep 20, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.

  • CVE-2025-53603HigJul 5, 2025
    risk 0.42cvss 7.5epss 0.01

    In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a parameter in the POST body.

  • CVE-2016-6188MedFeb 3, 2017
    risk 0.42cvss 6.5epss 0.02

    Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number of attempts to upload a large attachment, related to temporary files.

  • CVE-2016-6191MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.

  • CVE-2026-46446HigMay 14, 2026
    risk 0.39cvss 7.1epss 0.00

    SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

  • CVE-2026-46445HigMay 14, 2026
    risk 0.39cvss 7.1epss 0.00

    SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

  • CVE-2026-8496MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the…

  • CVE-2014-9905MedFeb 17, 2017
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.

  • CVE-2026-3054MedFeb 24, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted…

  • CVE-2016-6190MedFeb 17, 2017
    risk 0.28cvss 4.3epss 0.01

    SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and…

  • CVE-2016-6189MedFeb 17, 2017
    risk 0.28cvss 4.3epss 0.01

    Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

  • CVE-2026-33550Mar 22, 2026
    risk 0.00cvss epss 0.00

    SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

  • CVE-2025-71276Mar 22, 2026
    risk 0.00cvss epss 0.00

    SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories.

  • CVE-2025-63499Dec 4, 2025
    risk 0.00cvss epss 0.00

    Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

  • CVE-2025-63498Nov 24, 2025
    risk 0.00cvss epss 0.00

    alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter.

  • CVE-2024-24510Sep 9, 2024
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows a remote attacker to execute arbitrary code via the import function to the mail component.

  • CVE-2024-34462May 4, 2024
    risk 0.00cvss epss 0.00

    Alinto SOGo through 5.10.0 allows XSS during attachment preview.

  • CVE-2023-48104Jan 16, 2024
    risk 0.00cvss epss 0.01

    Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.

  • CVE-2022-4558Dec 16, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to…