CVE-2025-66376

HighCISA KEVActive Exploitation

Published: 05 January 2026

Published

05 January 2026

Modified

18 March 2026

KEV Added

18 March 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0915 92.7th percentile

Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the stored XSS vulnerability by requiring timely application of Zimbra patches in versions 10.0.18 and 10.1.13 that fix improper CSS @import handling.

SI-15 Information Output Filtering good match

prevent

Prevents XSS execution by filtering malicious CSS @import directives in HTML email outputs when rendered in the Classic UI.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes incoming HTML email content to block storage of malicious CSS @import directives on the server-side.

Security SummaryAI

CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in the Classic UI of Zimbra Collaboration Suite (ZCS) versions 10 before 10.0.18 and 10.1 before 10.1.13. It arises from the improper handling of Cascading Style Sheets (CSS) @import directives embedded in HTML email messages, allowing malicious payloads to be stored and executed when rendered in the Classic UI.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 base score of 7.2 (S:C/C:L/I:L/A:N). By sending a crafted HTML email containing a malicious CSS @import directive, the attacker can store the payload server-side. When victims access the email via the affected Classic UI, the XSS executes in the context of the Zimbra application, potentially enabling session hijacking, data theft, or further compromise with low confidentiality and integrity impacts due to the changed scope.

Zimbra's security advisories and release notes for versions 10.0.18 and 10.1.13 document fixes for this issue, recommending immediate upgrades to these patched releases. Additional guidance is available in the Zimbra Security Center, Security Advisories, and Responsible Disclosure Policy on their wiki.

Details

CWE(s): CWE-79
KEV Date Added: 18 March 2026

Affected Products

synacor

zimbra collaboration suite

10.0.0 — 10.0.18 · 10.1.0 — 10.1.13

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS in public-facing Zimbra webmail (T1190) allows unauthenticated attackers to send malicious HTML emails that execute JavaScript in victim browsers, enabling session hijacking via web session cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wiki.zimbra.com/wiki/Security_Center
Release Notes, Vendor Advisory · cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
Release Notes · cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
Release Notes · cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Product · cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Vendor Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0