Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2025-66376
PUBLISHEDZimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import...
1 day faster than CISA KEV
- Vendor
- Zimbra
- Product
- Collaboration
- Published
- Jan 05, 2026
- EPSS
- 10.9% · 94% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Weaknesses (CWE)
-
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Exploitation status
Exploited in the wild
Recorded 2026-06-01 12:10:26 UTC · CVE
References
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CVE First | 2026-06-01 12:10 UTC |
| CISA | 2026-06-02 14:02 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
KEV confirmed by CISA