Zimbra Classic Web Client stored XSS cross-site scripting flaw
Vulnerability
Summary
Hide ▲
Show ▼
Zimbra's Classic Web Client stored cross-site scripting (XSS) flaw was patched in Zimbra 10.1.19, closing a path that could expose session data, account settings, and mailbox information. The issue is triggered by specially crafted emails opened in the Classic UI and had no CVE ID yet at release time. Zimbra told customers using the Classic Web Client to upgrade as soon as possible.
Related Happenings
Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)
Vulnerability
H score74
First: 24.04.2026 16:35
Last: 24.04.2026 16:35
Sources 1
About this happening:
**CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...
Zimbra Collaboration Suite actively exploited XSS flaw (CVE-2025-48700)
VulnerabilityAbout this happening: **CVE-2025-48700** is an **actively exploited XSS flaw** in **Zimbra Collaboration Suite (ZCS)** that can let unauthenticated attackers run JavaScript inside a user's session and...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
H score37
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/Mitigation
H score56
First: 19.03.2026 08:05
Last: 19.03.2026 08:05
Sources 1
About this happening:
**CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/MitigationAbout this happening: **CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
Zimbra Collaboration Suite (ZCS) stored XSS flaw (CVE-2025-66376)
Vulnerability
H score52
First: 18.03.2026 21:57
Last: 18.03.2026 21:57
Sources 1
About this happening:
**CVE-2025-66376** affects **Zimbra Collaboration Suite (ZCS)**, where a stored **XSS flaw** in the **Classic UI** is **actively exploited** and can put exposed mail servers and u...
Zimbra Collaboration Suite (ZCS) stored XSS flaw (CVE-2025-66376)
VulnerabilityAbout this happening: **CVE-2025-66376** affects **Zimbra Collaboration Suite (ZCS)**, where a stored **XSS flaw** in the **Classic UI** is **actively exploited** and can put exposed mail servers and u...
CISA BOD 22-01 Zimbra patch order
Public Sector Action
H score34
First: 18.03.2026 21:57
Last: 18.03.2026 21:57
Sources 1
About this happening:
**CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
CISA BOD 22-01 Zimbra patch order
Public Sector ActionAbout this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
Timeline
-
10.07.2026 14:47 2 articles · 2h ago
Zimbra releases Zimbra 10.1.19 to patch Classic Web Client stored XSS
Initial DisclosureZimbra released Zimbra 10.1.19 to fix a stored cross-site scripting (XSS) flaw in the Classic Web Client used to access the Zimbra Collaboration suite and urged customers to upgrade to ZCS v10.1.19 as soon as possible. The bug can be triggered by specially crafted emails opened in the Classic UI and could let attackers steal session data, account settings, or mailbox information. Zimbra said the issue only impacts Classic Web Client users, noted that the flaw had not been tagged as exploited in the wild, and said it was reported by Google's Threat Analysis Group.
Show sources
- Zimbra urges customers to patch critical web client XSS flaw — www.bleepingcomputer.com — 10.07.2026 14:47
- Zimbra urges customers to patch critical web client XSS flaw — www.bleepingcomputer.com — 10.07.2026 14:47