CVE-2025-66376
Unknown Unknown - Not Provided
Stored XSS via CSS @import in Zimbra Collaboration UI

Publication date: 2026-01-05

Last updated on: 2026-03-18

Assigner: MITRE

Description
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66376
EUVD
EUVD-2026-0850
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
synacor zimbra_collaboration_suite From 10.0.0 (inc) to 10.0.18 (exc)
synacor zimbra_collaboration_suite From 10.1.0 (inc) to 10.1.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66376 is a stored Cross-Site Scripting (XSS) vulnerability in the Classic Web UI of Zimbra Collaboration Suite versions before 10.0.18 and 10.1 before 10.1.13. Attackers can exploit this flaw by embedding malicious CSS @import directives within the HTML content of an email message, which allows execution of malicious scripts when the email is viewed in the Classic UI. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected user's browser when they view a crafted email. This can lead to unauthorized actions such as stealing session tokens, performing actions on behalf of the user, or other malicious activities that compromise the confidentiality and integrity of the user's data within the Zimbra Classic Web UI. [1, 2]

Mitigation Strategies

To mitigate the CVE-2025-66376 vulnerability, immediately upgrade your Zimbra Collaboration Suite to version 10.0.18 or later (for Zimbra 10.0.x) or 10.1.13 or later (for Zimbra 10.1.x). These versions include patches that fix the stored XSS flaw by addressing CSS @import directive abuse in email HTML content. Additionally, the 10.1.13 release removes the Classic Web App's PDF preview feature to prevent stored XSS via PDFs, and upgrades critical components such as Apache HttpClient, ClamAV, Jetty, and OpenSSL to more secure versions. Applying these updates will mitigate the risk of exploitation. [1, 2]

Compliance Impact

The provided resources do not explicitly discuss how the CVE-2025-66376 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability is a stored Cross-Site Scripting (XSS) flaw that could allow attackers to execute malicious scripts via email content, it potentially risks unauthorized access to sensitive information, which could impact compliance with data protection regulations. The patches in versions 10.0.18 and 10.1.13 include security improvements and mitigations that help reduce such risks, indirectly supporting compliance efforts. No direct statements about compliance impact are provided. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart