CVE-2025-66376

CWE-79 — Cross-site Scripting (XSS)6 documents5 sources

7.2

CVSS

HIGH

EPSS10.0%(93th)

CISA KEV

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages1 packages

▶NVDsynacor/zimbra_collaboration_suite10.0.0 — 10.0.18+1

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

NVD ↗MITRE ↗

🔴Vulnerability Details

CVEList

CVE-2025-66376: Zimbra Collaboration (ZCS) 10 before 10↗2026-01-05

▶

VulnCheck

Zimbra collaboration Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2025

▶

📋Vendor Advisories

CISA

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability↗2026-03-18

▶

🕵️Threat Intelligence

Bleepingcomputer

Russian hackers exploit Zimbra flaw in Ukrainian govt attacks↗2026-03-19

▶

Bleepingcomputer

CISA orders feds to patch Zimbra XSS flaw exploited in attacks↗2026-03-18

▶