CVE-2025-66376

HIGH KEV

Zimbra Collaboration <10.0.18, <10.1.13 - XSS

Title source: llm

Exploitation Summary

CVE-2025-66376 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 18, 2026.

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

References (6)

Core 6

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376

Third Party Advisory

https://wiki.zimbra.com/wiki/Security_Center

Third Party Advisory

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes

Third Party Advisory

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes

Third Party Advisory

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Third Party Advisory

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Scores

CVSS v3 7.2

EPSS 0.1201

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2026-03-18

VulnCheck KEV 2026-03-17

ENISA EUVD EUVD-2026-0850

CWE

CWE-79

Status published

Products (3)

synacor/zimbra_collaboration_suite 10.0.0 - 10.0.18

Zimbra/Collaboration 10.0 - 10.0.18

Zimbra/Collaboration 10.1 - 10.1.13

Published Jan 05, 2026

KEV Added Mar 18, 2026

Tracked Since Feb 18, 2026