MediumCISA KEVExploited in the wildPublic exploit

Stored XSS in Zimbra Collaboration Classic UI via CSS @import in HTML email

IdentifiersCVE-2025-66376CWE-79· Improper Neutralization of Input…

CVE-2025-66376 is a stored cross-site scripting vulnerability in Zimbra Collaboration (ZCS) Classic UI affecting 10.0 before 10.0.18 and 10.1 before 10.1.13. The flaw can be triggered by a remote unauthenticated attacker sending a specially crafted HTML email that abuses Cascading Style Sheets (CSS) @import directives. When the message is viewed in the Zimbra Classic web interface, attacker-controlled script executes in the context of the victim’s authenticated browser session. Reporting indicates the issue resides in how malicious HTML/CSS content in email is handled in the Classic UI, and vendor remediation included upgrading the AntiSamy library to 1.7.8 and removing outdated risky code.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables execution of attacker-controlled JavaScript in the victim’s active Zimbra webmail session. This can lead to session hijacking, theft of session cookies, credentials, tokens, backup two-factor authentication data, browser-stored passwords, mailbox contents, and other sensitive email data. An attacker may also perform unauthorized actions as the victim within the webmail application, including browser-based data exfiltration and abuse of the authenticated session for follow-on espionage activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, discontinue use of the vulnerable Classic UI or the affected product until remediation can be completed. Reduce exposure by restricting or disabling access to Classic UI where operationally feasible, preferring supported and patched interfaces only. Treat HTML email rendering in vulnerable Classic UI deployments as high risk until patched. Follow vendor and CISA guidance for KEV-listed vulnerabilities and prioritize emergency remediation.

Remediation

Patch, then assume compromise.

Upgrade Zimbra Collaboration to a fixed release: 10.0.18 or later on the 10.0 branch, or 10.1.13 or later on the 10.1 branch. Applying the vendor patch is reported to fully mitigate this stored XSS issue. Because Zimbra 10.0 reached end of life on 2025-12-31, organizations still on 10.0 should migrate to the supported 10.1 release line to reduce exposure to future unpatched vulnerabilities.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

ZimbraCollaborationapplication

ZimbraZimbra Collaboration Suiteapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

48 SOURCESView more in app

bleeping computerNews

Apr 24, 2026

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

A Zimbra XSS vulnerability that was exploited by APT28 in phishing attacks against Ukrainian government-related targets via malicious emails opened in vulnerable Zimbra webmail sessions.

scworldNews

Mar 20, 2026

Russian APT weaponizes critical Zimbra bug in Ukraine-targeted intrusions | brief | SC Media

A high-severity stored cross-site scripting vulnerability in Zimbra Collaboration that has been exploited in intrusions targeting Ukraine.

scworldNews

Mar 20, 2026

US disrupts Handala hacktivist websites | brief | SC Media

A high-severity stored cross-site scripting vulnerability in Zimbra Collaboration that was weaponized in Ukraine-targeted intrusions.

scworldNews

Mar 20, 2026

New Speagle malware hijacks Cobra DocGuard for data theft | brief | SC Media

A high-severity stored cross-site scripting vulnerability in Zimbra Collaboration that was reportedly weaponized in Ukraine-targeted intrusions.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity39

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-66376

NVD

nvd.nist.gov/vuln/detail/CVE-2025-66376

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Vendor Advisory

wiki.zimbra.com/wiki/Security_Center

Vendor Advisory

wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Release Notes

wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18

Release Notes

wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13

Product

wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376