CVE-2026-8496

Name of the Vulnerable Software and Affected Versions Alinto SOGo version 5.12.7

Description A cross-site scripting (XSS) issue exists where maliciously crafted ICS calendar invitation files allow arbitrary JavaScript execution within an authenticated webmail session. The problem arises because SVG content embedded in the description field of an ICS file, specifically using an onrepeat event handler, is insufficiently sanitized before being rendered. A remote attacker can execute JavaScript in the victim's browser when the malicious invite is viewed, potentially leading to mailbox access, theft of emails and contacts, and session hijacking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.