CVE-2025-66376

Published Jan 5, 2026

Last updated 12 hours ago

Exploit knownCVSS high 7.2

Overview

Description
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Source
cve@mitre.org
NVD status
Analyzed
Products
zimbra_collaboration_suite

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Exploit added on
Mar 18, 2026
Exploit action due
Apr 1, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org
CWE-79

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

13

  1. CISA adds actively exploited Microsoft SharePoint RCE (CVE-2026-20963) and Zimbra XSS (CVE-2025-66376) to its KEV catalog. Update your systems immediately. #CISA #KEVCatalog #SharePoint #Zimbra #CyberSecurity #InfoSec #CVE #RCE #Vulnerability #PatchAlert https://t.co/ovtcE5to4p

    @the_yellow_fall

    19 Mar 2026

    218 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨CISA adds exploited SharePoint and Zimbra flaws to KEV catalog CISA added CVE-2026-20963 in Microsoft SharePoint and CVE-2025-66376 in Zimbra Collaboration Suite to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation and setting federal remediatio

    @ThreatSynop

    19 Mar 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CISA mandates federal agencies to patch Zimbra Collaboration Suite servers by April 1 due to active exploitation of a stored XSS flaw via CSS @import in HTML emails (CVE-2025-66376). #ZimbraFlaw #USFed #XSSVulnerability https://t.co/51418eAjyA

    @TweetThreatNews

    18 Mar 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 ACTIVE EXPLOITATION: CISA orders federal agencies to patch Zimbra XSS flaw CVE-2025-66376 after attacks in the wild. The vulnerability affects Zimbra Collaboration Suite and can be triggered through malicious HTML email content in the Classic UI. Email platforms remain a

    @CyberAlertsHQ

    18 Mar 2026

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CVE Alert: CVE-2025-66376 - Zimbra - Collaboration - https://t.co/LWb0ikShDs #OSINT #ThreatIntel #CyberSecurity #cve-2025-66376 #zimbra #collaboration

    @RedPacketSec

    18 Mar 2026

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CISAは、Zimbra Collaborationのstored XSS脆弱性 CVE-2025-66376 をKEVに追加し、連邦機関に優先対応を求めた。重要なのは、単なる理論上のXSSではなく、実際に悪用が確認されている点。 この脆弱性は、Classic UIでHTMLメ

    @01ra66it

    18 Mar 2026

    181 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. 🚨 CISA: Zimbra XSS Açığını Yamayın Federal kurumlara 1 Nisan'a kadar yama emri. CVE-2025-66376 aktif sömürülüyor. #CISA #Zimbra #SiberGüvenlik 🔗 https://t.co/2opFdZYYUQ

    @shtc_social

    18 Mar 2026

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ‼️CISA has added 2 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2025-66376: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability. CVSS: 7.1 CVE-2026-20963: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability. CVSS:

    @DarkWebInformer

    18 Mar 2026

    2548 Impressions

    4 Retweets

    14 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-66376 #Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability https://t.co/ZgNmaO8SAk

    @ScyScan

    18 Mar 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🛡️ CVE-2025-66376: Vulnerabilidad XSS en Synacor Zimbra Collaboration Suite Analizamos la vulnerabilidad CVE-2025-66376 en Zimbra, un XSS que permite ataques vía CSS en emails. Impacto alto, puntuación CVSS 7.2. Recomendaciones y mitiga https://t.co/Kwvwik0OJI #ciberplane

    @CiberPlanetaOrg

    18 Mar 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🛡️ Alerta de Seguridad: Vulnerabilidad de Cross-Site Scripting en Synacor Zimbra Collaboration Suite (ZCS) (CVE-2025-66376) Vulnerabilidad XSS en Synacor ZCS permite a atacantes inyectar directivas CSS @import en HTML de emails vía Classic UI. Severidad alta (CVSS 7.2). Apl

    @CiberPlanetaOrg

    18 Mar 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🛡️ We added Synacor Zimbra Collaboration Suite (ZCS) cross-site scripting vulnerability CVE-2025-66376 to our KEV Catalog. Visit https://t.co/myxOwap1Tf for more information. #Cybersecurity #InfoSec https://t.co/GbvwRmJfCG

    @CISACyber

    18 Mar 2026

    2549 Impressions

    5 Retweets

    12 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. New Research! Operation #GhostMail #APT28 (FancyBear) targets the Ukrainian State Hydrology Agency, exploiting a stored XSS vulnerability (CVE-2025-66376) in Zimbra Classic UI to deploy a browser-resident stealer similar to #SpyPress, that exfiltrates data over both DNS & HT

    @PrakkiSathwik

    18 Mar 2026

    2103 Impressions

    9 Retweets

    43 Likes

    16 Bookmarks

    1 Reply

    0 Quotes

  14. GhostMail campaign exploits a Zimbra Webmail XSS (CVE-2025-66376) to compromise authenticated sessions and exfiltrate 90 days of mailbox data from a Ukrainian government target. The attack leverages browser-resident JavaScript payloads, harvesting credentials, 2FA tokens, OAuth

    @VivekIntel

    18 Mar 2026

    125 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-66376 Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mai… https://t.co/FGoF1kLefz

    @CVEnew

    5 Jan 2026

    183 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion VulnerabilityCVE-2025-68645
  2. An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.CVE-2025-48700
  3. An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.CVE-2024-45516
  4. In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.CVE-2025-32354
  5. Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting VulnerabilityCVE-2025-27915

References

Sources include official advisories and independent security research.