CVE-2025-66376
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.
Analysis
Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns.
Technical Context
The vulnerability exploits CSS @import directives within HTML email content. While Zimbra sanitizes many XSS vectors in email rendering, the Classic UI fails to block CSS @import statements that can load external stylesheets or inject JavaScript through CSS expression evaluation. Because the malicious payload is stored in the email itself, it executes every time any user views it, making it particularly effective for targeting organizations using Zimbra's Classic web interface.
Affected Products
['Zimbra Collaboration Suite 10.0 before 10.0.18', 'Zimbra Collaboration Suite 10.1 before 10.1.13']
Remediation
Upgrade to ZCS 10.0.18+ or 10.1.13+ immediately. Switch users to the Modern UI which is not affected. Implement email content filtering to strip CSS @import directives. Monitor for suspicious email content patterns.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today