Debian LTS released advisory DLA-4657-1 addressing six vulnerabilities in the Sogo webmail server, including SQL injection flaws affecting PostgreSQL and MariaDB backends, XSS issues in calendar and contact views, and TOTP implementation problems. The update also resolves an arbitrary JavaScript execution risk caused by malicious .ICS files, SQL injection in ACL management allowing data extraction by authenticated users, and an XSS flaw in message subject rendering, pushing the package to version 5.8.0-2+deb12u3. Separate guidance via ELA-1760-1 targets Yelp, the GNOME help browser, by correcting CVE-2026-13601 which enables crafted documents to read local user files and exfiltrate them to remote servers through the embedded web view. This vulnerability also permits a sandbox escape when launching the application via Flatpak, affecting versions 3.22.0-1+deb9u2 for Debian stretch and 3.31.90-1+deb10u2 for Debian buster.

[DLA 4657-1] sogo security update
ELA-1760-1 yelp security update

[SECURITY] [DLA 4657-1] sogo security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4657-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
June 29, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : sogo
Version : 5.8.0-2+deb12u3
CVE IDs : CVE-2026-46445 CVE-2026-46446 CVE-2025-71276
CVE-2026-33550 CVE-2026-8496 CVE-2026-8851
Debian Bugs : 1131605 1131606

Multiple vulnerabilities were discovered in sogo, the open-source
webmail and groupware server:

* CVE-2026-46445: A SQL injection vulnerability when PostgreSQL is
used as the user database.

* CVE-2026-46446: Address a SQL injection vulnerability when MariaDB
or PostgreSQL is used as the user database and passwords are
stored in cleartext.

* CVE-2025-71276: Fix a A Cross-Site Scripting (XSS) vulnerability in
events, tasks and contacts categories.

* CVE-2026-33550: Address a number of Time-Based One-Time Passwords
(TOTP) vulnerabilities, including if a user disables/enables TOTP,
various values not being renewed, and an issue around recommended
TOTP lengths.

* CVE-2026-8496: Fix an issue where a maliciously crafted .ICS
calendar invitation file allowed arbitrary JavaScript execution
within an authenticated webmail session.

* CVE-2026-8851: Fix an SQL injection vulnerability in the access
control list management functionality, which could have allowed
authenticated users to extract arbitrary data from the database by
injecting SQL subqueries through the "uid" parameter of the
"addUserInAcls" endpoint.

In addition, a patch was added to fix a Cross-Site Scripting (XSS)
vulnerability in message subject rendering.

For Debian 11 bullseye, these problem have been fixed in version
5.8.0-2+deb12u3.

We recommend that you upgrade your sogo packages.

Thank you to Peter Wienemann [wiene@debian.org] for preparing this
update.

For the detailed security status of sogo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sogo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1760-1 yelp security update (by )

Package : yelp

Version : 3.22.0-1+deb9u2 (stretch), 3.31.90-1+deb10u2 (buster)

Related CVEs :
CVE-2026-13601

A vulnerability was discovered in yelp, the GNOME help browser, that
allows a crafted help document to read files accessible to the user and
exfiltrate them to a remote server through resources loaded by the
embedded web view. When yelp is launched from a sandboxed application
(for example via the Flatpak OpenURI portal), this also enables a
sandbox escape.

ELA-1760-1 yelp security update (by )