Description
Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service.
References (6)
Core 6
Core References
Third Party Advisory
https://wiki.zimbra.com/wiki/Security_Center
Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.15#Security_Fixes
Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.9#Security_Fixes
Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P46#Security_Fixes
Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Third Party Advisory
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
Scores
CVSS v3
7.5
EPSS
0.0133
EPSS Percentile
67.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Published
Jul 09, 2025
Tracked Since
Feb 18, 2026