Alinto/sogo SOGo-5.12.8
SOGo v5.12.8

on GitHub

5 hours ago

The Alinto team is pleased to announce the immediate availability of SOGo v5.12.8. This is a major release as it fixes security vulnerabilities.

IMPORTANT

Four major vulnerabilities have been reported and fixed in this version 5.12.8 or since the nightly of the 8th of May 2026: sogo_5.12.7.20260508.

Those vulnerabilities affect any previous SOGO version. Please update as soon as possible

CVE ID will be updated once they're created

Affect anyone

2 possible XSS injections with malicious mail: fixed.
1 possible SQL injection with specific request: fixed.

Affect SOGo when using OpenID with a non-matching usersource

Impersonification with untrusted user source: fixed

Regression

Some regression, mainly on the mail view, can happen. If you find any, please report them https://bugs.sogo.nu

Thanks

Thanks a lot, to the reporters for having found and investigated them and validated the fixes!

dninh of SACOMBANK for the SQL injection.
Luke H for one XSS injection.
Greg Lesnewich from Proofpoint Threat Research for one XSS injection.
The last one was found by us, Alinto.

Check out latest releases or
releases around Alinto/sogo SOGo-5.12.8

Don't miss a new sogo release

NewReleases is sending notifications on new releases.

Get notifications