{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-71276", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-22T02:11:49.166Z", "datePublished": "2026-03-22T02:11:49.600Z", "dateUpdated": "2026-04-02T17:57:00.835Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SOGo", "vendor": "Alinto", "versions": [{"lessThan": "5.12.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:57:00.835Z"}, "references": [{"url": "https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.12.5"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:24.050440Z", "id": "CVE-2025-71276", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:53:30.083Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-71276", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:24.050440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:07:25.141Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Alinto", "product": "SOGo", "versions": [{"status": "affected", "version": "0", "lessThan": "5.12.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.12.5"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T17:57:00.835Z"}}}, "cveMetadata": {"cveId": "CVE-2025-71276", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:57:00.835Z", "dateReserved": "2026-03-22T02:11:49.166Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-22T02:11:49.600Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "6300FA4D-5A77-4117-ACF1-11F319436E3D", "versionEndExcluding": "5.12.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, and contacts categories."}], "id": "CVE-2025-71276", "lastModified": "2026-03-23T19:47:35.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-22T03:16:00.233", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.12.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SOGo", "source": "cna", "vendor": "Alinto"}, "product": "sogo", "vendor": "alinto"}], "analysis": {"en": {"generated_at": "2026-03-24T04:52:57.419008+00:00", "value": {"mitigation_remediation": ["Upgrade SOGo to version 5.12.5 or later", "Verify that category names have not been tampered with by untrusted users", "If immediate upgrade is not possible, restrict or sanitize category creation for unauthenticated users", "Deploy a web application firewall to detect and block known XSS payloads"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is Alinto\u2019s SOGo mail/calendar application. All releases before version 5.12.5 are vulnerable; upgrading to 5.12.5 or later removes the issue.", "description_and_impact": "SOGo versions prior to 5.12.5 contain a flaw that allows an attacker to inject malicious scripts through the names of categories for events, tasks, and contacts. The application concatenates the category data directly into HTML pages without proper escaping, so a crafted category name can trigger arbitrary client\u2011side code when viewed by a user. This can lead to theft of session cookies, credential hijacking, or redirecting the user to malicious sites.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity while the EPSS score of less than 1\u202f% shows a low likelihood of exploitation. The flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is through the web interface; an attacker who can supply a crafted category name that the application renders without escaping can execute arbitrary JavaScript in the victim\u2019s browser."}}}}, "created": "2026-03-23T09:46:45.477149+00:00", "title": "Unsanitized Category Names Allow Cross\u2011Site Scripting in SOGo", "updated": "2026-03-25T14:46:45.754686+00:00", "vendors": ["alinto", "alinto$PRODUCT$sogo"]}