CVE-2025-66376

Published: Jan 5, 2026Updated: Jan 8, 2026 Sources: CVE List NVD BDUCWE-79

NVD MITRE

7.2CVSSHIGH

EPSS Score

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:NPrivileges Required

None

UI:NUser Interaction

None

Scope

S:CScope

Changed

Impact

C:LConfidentiality

Low

I:LIntegrity

Low

A:NAvailability

None

Open in CVSS calculator →

Weaknesses

CWE-79

Affected Products

Collaboration Zimbra

On-premDesktop App

Enterprise Software / collaboration-groupware

Zimbra Collaboration Suite Zimbra Inc.

Mixed

Communications / email-server-client

zimbracommercialEnterprise Softwareaka zimbra collaboration server

zimbra inc.commercialUSCommunications

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

CISA Known Exploited Vulnerability

Added to KEV:Mar 18, 2026

Remediation due:Apr 1, 2026

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Official Patch Available