CVE-2025-48700
published 2025-06-23CVE-2025-48700: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-04-23
Exploited in the wild
EPSS
1.76%
75.2th percentile
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | — | — |
| synacor | zimbra_collaboration_suite | >= 10.0.0 < 10.0.12 | 10.0.12 |
| synacor | zimbra_collaboration_suite | >= 10.1.0 < 10.1.4 | 10.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered when a user views a crafted e-mail message in the Classic UI — monitor for XSS payloads in email bodies rendered by Zimbra Classic UI, particularly those containing @import directives or crafted tag/attribute structures ↗
- →No user interaction beyond viewing the email is required; detection should focus on anomalous JavaScript execution or session hijacking events originating from Zimbra webmail sessions ↗
- ·Vendor security advisory and patch details are located at the Zimbra Security Advisories wiki; reference this for precise patch version numbers before deploying mitigations ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
cisa·2026-04-20·CVSS 6.1
CVE-2025-48700 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-48700
Remediation Due Date: 2026-04-23
VulDB
Zimbra Collaboration Suite 8.8.15/9.0/10.0/10.1 Classic UI cross site scripting (EUVD-2025-18891)
vuldb·2026-04-21·CVSS 6.1
CVE-2025-48700 [MEDIUM] Zimbra Collaboration Suite 8.8.15/9.0/10.0/10.1 Classic UI cross site scripting (EUVD-2025-18891)
A vulnerability labeled as problematic has been found in Zimbra Collaboration Suite 8.8.15/9.0/10.0/10.1. Affected by this issue is some unknown functionality of the component Classic UI. Executing a manipulation can lead to cross site scripting.
This vulnerability is handled as CVE-2025-48700. The attack can be executed remotely. Additionally, an exploit exists.
GHSA
GHSA-wmq6-ffv7-gqwf: An issue was discovered in Zimbra Collaboration (ZCS) 8
ghsa_unreviewed·2025-06-23
CVE-2025-48700 [MEDIUM] CWE-79 GHSA-wmq6-ffv7-gqwf: An issue was discovered in Zimbra Collaboration (ZCS) 8
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
vulncheck·2025·CVSS 6.1
CVE-2025-48700 [MEDIUM] CWE-79 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-04-23
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
blogs_bleepingcomputer·2026-04-24·CVSS 6.1
CVE-2025-48700 [MEDIUM] Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
## Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
## Sergiu Gatlan
Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver.
Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses.
The vulnerability (tracked as CVE-2025-48700 ) affects ZCS 8.8.15, 9.0, 10.0, and 10.1 and can allow unauthenticated attackers to access sensitive information after executing arbitrary JavaScript within the user's session.
Synacor released security patches to address the flaw in June 2025, when it warned that CVE
Hackernews
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2023-27351 [HIGH] CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2024-27199 (CVSS score: 7.3) -
2025-06-23
Published
2026-04-20
Added to CISA KEV
Exploited in the wild