CVE-2025-66376KEV

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Description

Affected Products

Vendor	Product	Versions
synacor	zimbra_collaboration_suite	< 10.0.18, < 10.1.13

References

https://wiki.zimbra.com/wiki/Security_Center(Release Notes, Vendor Advisory)
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes(Release Notes)
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes(Release Notes)
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy(Product)
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories(Vendor Advisory)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376(US Government Resource)

Related News (1 articles)

Tier B

CERT-FR2d ago

Bulletin d'actualité CERTFR-2026-ACT-012 (23 mars 2026)

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA KEV✅ Yes

Actively exploited✅ Yes

CWECWE-79

Published1/5/2026

Last enriched2h ago

Trending Score71

Source articles1

Independent1

Info Completeness10/14

Missing: epss, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%