CVE-2026-3054
Received Received - Intake
Cross-Site Scripting in Alinto SOGo 5.12.3/5.12.4 Remote Exploit

Publication date: 2026-02-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3054
EUVD
EUVD-2026-7411
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
alinto sogo 5.12.3
alinto sogo 5.12.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3054 is a cross-site scripting (XSS) vulnerability found in Alinto SOGo versions 5.12.3 and 5.12.4. It arises from improper neutralization of user-controllable input in the "hint" argument, which is manipulated to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability occurs because the application fails to properly sanitize and encode the "hint" URL parameter before embedding it into a JavaScript context. This allows attackers to break out of the JavaScript string context and execute arbitrary JavaScript code.'}, {'type': 'paragraph', 'content': 'The attack can be initiated remotely without authentication, requiring only that a victim clicks a crafted link or visits a malicious page containing the manipulated "hint" parameter.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows remote attackers to execute arbitrary JavaScript code in the victim's browser within the context of the affected domain."}, {'type': 'paragraph', 'content': "Successful exploitation can lead to actions such as session hijacking, defacement, or redirection to malicious sites, depending on the attacker's intent."}, {'type': 'paragraph', 'content': 'Because the exploit is publicly available and easy to execute, users of the affected software are at risk if they interact with crafted URLs containing the malicious "hint" parameter.'}] [1, 2]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the affected Alinto SOGo versions 5.12.3 or 5.12.4 are running and by testing the web login interface for reflected cross-site scripting (XSS) via the "hint" URL parameter.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a crafted HTTP request to the endpoint `/SOGo?hint=` with a payload that attempts to break out of the JavaScript string context and execute arbitrary code.'}, {'type': 'paragraph', 'content': "For example, you can use curl or a similar tool to test the vulnerability by injecting a payload like `'-alert(document.domain)-'/` and then inspect the response for reflected script execution."}, {'type': 'list_item', 'content': 'curl -i "http://<target-host>/SOGo?hint=\'-alert(document.domain)-\'/"'}, {'type': 'list_item', 'content': 'Use a web proxy or browser developer tools to observe if the injected payload appears unescaped inside a JavaScript variable in the page source.'}, {'type': 'list_item', 'content': 'Search your network for hosts running SOGo with the Shodan query: `title:"SOGo"` to identify potentially vulnerable instances.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, no official mitigation or patch is available from the vendor, as they did not respond to the disclosure.'}, {'type': 'paragraph', 'content': 'Immediate steps include avoiding the use of the affected versions 5.12.3 and 5.12.4 of Alinto SOGo, especially in environments exposed to untrusted users.'}, {'type': 'paragraph', 'content': 'Consider replacing the affected product with an alternative solution that does not have this vulnerability.'}, {'type': 'paragraph', 'content': 'As a temporary measure, implement web application firewall (WAF) rules to detect and block requests containing suspicious payloads in the "hint" parameter.'}, {'type': 'paragraph', 'content': 'Educate users to avoid clicking on suspicious or untrusted links that might exploit this vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart