Find notable cyber news and cases, enriched with sources, timelines, and signals.

Zimbra Classic Web Client stored XSS cross-site scripting flaw

Vulnerability
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Zimbra fixed a critical stored XSS flaw in the Classic Web Client that could let a specially crafted email run malicious code in a user's session. The weakness could expose mailbox information, session data, or account settings, creating account-compromise risk. Zimbra says customers should upgrade to Zimbra Collaboration Suite 10.1.19 to reduce exposure.

Related Happenings

APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities

Campaign
H score37 First: 19.03.2026 16:55 Last: 19.03.2026 16:55 Sources 1

About this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...

CISA BOD 22-01 Zimbra patch order

Public Sector Action
H score34 First: 18.03.2026 21:57 Last: 18.03.2026 21:57 Sources 1

About this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to secure **Zimbra Collaboration Suite (ZCS)** servers against **CVE-2025-66376**, an **actively exploited** flaw t...

Timeline

  1. 11.07.2026 09:45 2 articles · 4h ago

    Zimbra urges customers to patch critical stored XSS in Classic Web Client

    Initial Disclosure

    Zimbra urges customers to apply updates for a critical stored cross-site scripting flaw in the Classic Web Client that could let a specially crafted email run malicious code in a user's session. If exploited, the issue could expose mailbox information, session data, or account settings, and Zimbra recommends upgrading to Zimbra Collaboration Suite version 10.1.19.

    Show sources