CVE-2020-7796
CRITICAL KEV NUCLEIZimbra Collaboration Suite <8.8.15 Patch 7 - SSRF
Title source: llmExploitation Summary
CVE-2020-7796 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 17, 2026. A Nuclei detection template is also available.
Description
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
Nuclei Templates (2)
Zimbra Collaboration Suite - Server-Side Request Forgery
CRITICALby gy741
Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery
CRITICALby gy741
Shodan:
http.title:"zimbra collaboration suite" || http.title:"zimbra web client sign in"
FOFA:
title="zimbra web client sign in" || title="zimbra collaboration suite"
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7
Third Party Advisory, US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7796
Scores
CVSS v3
9.8
EPSS
0.9330
EPSS Percentile
99.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2026-02-17
VulnCheck KEV
2023-12-12
ENISA EUVD
EUVD-2020-28728
CWE
CWE-918
Status
published
Products (2)
synacor/zimbra_collaboration_suite
8.8.15 (7 CPE variants)
synacor/zimbra_collaboration_suite
< 8.8.15
Published
Feb 18, 2020
KEV Added
Feb 17, 2026
Tracked Since
Feb 18, 2026