CVE-2025-66376
Stored XSS via CSS @import in Zimbra Collaboration UI
Publication date: 2026-01-05
Last updated on: 2026-03-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| synacor | zimbra_collaboration_suite | From 10.0.0 (inc) to 10.0.18 (exc) |
| synacor | zimbra_collaboration_suite | From 10.1.0 (inc) to 10.1.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66376 is a stored Cross-Site Scripting (XSS) vulnerability in the Classic Web UI of Zimbra Collaboration Suite versions before 10.0.18 and 10.1 before 10.1.13. Attackers can exploit this flaw by embedding malicious CSS @import directives within the HTML content of an email message, which allows execution of malicious scripts when the email is viewed in the Classic UI. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of the affected user's browser when they view a crafted email. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or other malicious activities that compromise the confidentiality and integrity of the user's data within the Zimbra Classic Web UI. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2025-66376 vulnerability, immediately upgrade your Zimbra Collaboration Suite to version 10.0.18 or later (for Zimbra 10.0.x) or 10.1.13 or later (for Zimbra 10.1.x). These versions include patches that fix the stored XSS flaw by addressing CSS @import directive abuse in email HTML content. Additionally, the 10.1.13 release removes the Classic Web App's PDF preview feature to prevent stored XSS via PDFs, and upgrades critical components such as Apache HttpClient, ClamAV, Jetty, and OpenSSL to more secure versions. Applying these updates will mitigate the risk of exploitation. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss how the CVE-2025-66376 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability is a stored Cross-Site Scripting (XSS) flaw that could allow attackers to execute malicious scripts via email content, it potentially risks unauthorized access to sensitive information, which could impact compliance with data protection regulations. The patches in versions 10.0.18 and 10.1.13 include security improvements and mitigations that help reduce such risks, indirectly supporting compliance efforts. No direct statements about compliance impact are provided. [1, 2]