CVE-2025-66376
CVE-2025-66376
Vexday Risk Score
56Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.2EPSS 12.0%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
05 Jan 2026Published on NVD
18 Mar 2026Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Zimbra Collaboration allows attackers to inject malicious code into email messages through CSS styling tricks. When a victim views the email in the Classic UI, the injected code runs in their browser, potentially stealing data or compromising their account.
Technical detail
Stored XSS vulnerability in Zimbra ZCS 10.x (before 10.0.18 and 10.1.x before 10.1.13) via CSS @import directives in HTML email messages. Attack vector is network-based; an attacker sends a crafted email that executes JavaScript in the context of the recipient's Classic UI session. Impact includes session hijacking, credential theft, and unauthorized actions on behalf of the victim.
Summary generated and translated by AI from the official description.
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
Zimbra · CollaborationWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixeshttps://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policyhttps://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376