Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in the Zimbra Collaboration Suite (ZCS) Classic Webmail REST interface (/h/rest) affecting versions 10.0 and 10.1, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim accesses the malicious link, the injected script executes within the Zimbra webmail application context, enabling the attacker to perform unauthorized actions on behalf of the victim such as reading emails, modifying settings, or sending messages. No CVSS score, EPSS probability, or public exploit code availability data is currently documented in the available intelligence sources, though the vulnerability is documented in the Zimbra Releases 10.1.16 security fixes, indicating a patch has been made available.
Technical ContextAI
This vulnerability is a reflected XSS flaw (CWE category: improper neutralization of input during web page generation) in the Zimbra REST interface endpoint. The /h/rest API path fails to properly sanitize or encode user-supplied input parameters before reflecting them back into HTTP responses or DOM contexts. Zimbra Collaboration Suite is an enterprise-class email and collaboration platform built on Java. The Classic Webmail interface specifically is the legacy web-based mail client component. The vulnerability requires no authentication to trigger, meaning the attack vector is network-based and can be delivered via email, instant messaging, or any channel where a victim can be tricked into clicking a link. The affected CPE designation (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) suggests incomplete or placeholder data in the official CVE record, but vendor references confirm Zimbra ZCS versions 10.0 and 10.1 are in scope.
RemediationAI
Immediately upgrade Zimbra Collaboration Suite to version 10.1.16 or later, which contains the documented security fix for this reflected XSS vulnerability (see https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes). For deployments unable to upgrade immediately, implement network-layer mitigations: restrict access to the /h/rest endpoint to trusted IP ranges via firewall or reverse proxy rules, enforce HTTPS-only connections with HSTS headers to prevent session hijacking, and configure HTTP response headers (Content-Security-Policy, X-XSS-Protection) to limit XSS payload execution. Additionally, review Zimbra's Responsible Disclosure Policy at https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy for any vendor-recommended workarounds or patches specific to your deployment version. Monitor the Security Center at https://wiki.zimbra.com/wiki/Security_Center for updates and consider disabling the Classic Webmail interface entirely if not required, using the modern Zimbra web client instead.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13690