vulnerability

Zimbra Collaboration: CVE-2025-66376: Patched a stored XSS vulnerability.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Jan 5, 2026	Jan 6, 2026	Jan 6, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Jan 5, 2026

Added

Jan 6, 2026

Modified

Jan 6, 2026

Description

Zimbra collaboration (zcs) 10 before 10.0.18 and 10.1 before 10.1.13 allows classic ui stored xss via cascading style sheets (css) @import directives in an html e-mail message.

Solution

zimbra-collaboration-upgrade-latest

References

CWE-79
CVE-2025-66376
https://attackerkb.com/topics/CVE-2025-66376
URL-https://wiki.zimbra.com/wiki/Security_Center
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
URL-https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
URL-https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today