The Alinto team is pleased to announce the immediate availability of SOGo v5.12.8. This is a major release as it fixes security vulnerabilities.

IMPORTANT

Four major vulnerabilities have been reported and fixed in this version 5.12.8 or since the nightly of the 8th of May 2026: sogo_5.12.7.20260508.

Those vulnerabilities affect any previous SOGO version. Please update as soon as possible

CVE ID will be updated once they’re created

Affect anyone

• 2 possible XSS injections with malicious mail: fixed.
• 1 possible SQL injection with specific request: fixed.

Affect SOGo when using OpenID with a non-matching usersource

• Impersonification with untrusted user source: fixed

Regression

Some regression, mainly on the mail view, can happen. If you find any, please report them https://bugs.sogo.nu

Thanks

Thanks a lot, to the reporters for having found and investigated them and validated the fixes!

• dninh of SACOMBANK for the SQL injection.
• Luke H for one XSS injection.
• Greg Lesnewich from Proofpoint Threat Research for one XSS injection.
• The last one was found by us, Alinto.

What’s next

A 5.12.9 is already planned as some fixes are already made but were in standby to let this patch be only about security.

See the complete change log.