CVE-2025-66376
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- November 28, 2025
- Published Date
- January 05, 2026
- Last Updated
- March 19, 2026
- Vendor
- Zimbra
- Product
- Collaboration
- Description
- Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
- Tags
- Exploitation
- active
- Technical Impact
- partial
- Exploited in the Wild
- Yes (2026-06-01 12:10:26 UTC) Source
cisa
CVSS Scores
CVSS v3.1
7.2 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
SSVC Information
Exploit Status
References
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2026-06-01 12:10:26 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel