CVE-2025-48700

MEDIUM KEV

Zimbra Collaboration Suite 8.8.15, 9.0, 10.0-10.1 - Stored Cross-Site Scripting via Crafted Email HTML Content

Title source: llm

Exploitation Summary

CVE-2025-48700 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 20, 2026.

Description

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

References (4)

Core 4

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700

Release Notes

https://wiki.zimbra.com/wiki/Security_Center

Product

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Vendor Advisory

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Scores

CVSS v3 6.1

EPSS 0.1819

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2026-04-20

VulnCheck KEV 2026-04-20

ENISA EUVD EUVD-2025-18891

CWE

CWE-79

Status published

Products (2)

synacor/zimbra_collaboration_suite 8.8.15 (48 CPE variants)

synacor/zimbra_collaboration_suite 9.0.0 (2 CPE variants)

Published Jun 23, 2025

KEV Added Apr 20, 2026

Tracked Since Feb 18, 2026