Zimbra Classic Web Client stored XSS security update
Security Patch Release
Summary
Hide ▲
Show ▼
Zimbra released ZCS v10.1.19 to patch a stored XSS flaw in the Classic Web Client, narrowing exposure for users of that interface. The bug could be triggered through specially crafted emails and could expose session data, account settings, or mailbox information if opened. Zimbra told customers to upgrade as soon as possible because the issue affects only Classic Web Client users and had no CVE ID yet.
Related Happenings
Synacor Zimbra CVE-2025-48700 security patch release
Security Patch Release
H score76
First: 24.04.2026 16:35
Last: 24.04.2026 16:35
Sources 1
About this happening:
Synacor released **security patches** for **CVE-2025-48700**, fixing an **XSS flaw** in **Zimbra Classic UI** that could be triggered by a **malicious email** and expose **sensiti...
Synacor Zimbra CVE-2025-48700 security patch release
Security Patch ReleaseAbout this happening: Synacor released **security patches** for **CVE-2025-48700**, fixing an **XSS flaw** in **Zimbra Classic UI** that could be triggered by a **malicious email** and expose **sensiti...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
Campaign
H score37
First: 19.03.2026 16:55
Last: 19.03.2026 16:55
Sources 1
About this happening:
**APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities
CampaignAbout this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/Mitigation
H score56
First: 19.03.2026 08:05
Last: 19.03.2026 08:05
Sources 1
About this happening:
**CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/MitigationAbout this happening: **CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA BOD 22-01 Zimbra patch order
Public Sector Action
H score34
First: 18.03.2026 21:57
Last: 18.03.2026 21:57
Sources 1
About this happening:
**CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
CISA BOD 22-01 Zimbra patch order
Public Sector ActionAbout this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation Wave
H score53
First: 18.02.2026 08:52
Last: 18.02.2026 08:52
Sources 1
About this happening:
**CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation WaveAbout this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
Timeline
-
10.07.2026 14:47 2 articles · 2h ago
Zimbra releases ZCS v10.1.19 to patch Classic Web Client stored XSS
Mitigation Patch UpdateZimbra released ZCS v10.1.19 to patch a stored cross-site scripting (XSS) flaw in the Classic Web Client used to access the Zimbra Collaboration suite, and told Classic Web Client customers to upgrade as soon as possible. The flaw can be triggered by specially crafted emails opened in the Classic UI and could expose session data, account settings, or mailbox information.
Show sources
- Zimbra urges customers to patch critical web client XSS flaw — www.bleepingcomputer.com — 10.07.2026 14:47
- Zimbra urges customers to patch critical web client XSS flaw — www.bleepingcomputer.com — 10.07.2026 14:47