EUVD-2026-13690
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
Analysis
A reflected cross-site scripting (XSS) vulnerability exists in the Zimbra Collaboration Suite (ZCS) Classic Webmail REST interface (/h/rest) affecting versions 10.0 and 10.1, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim accesses the malicious link, the injected script executes within the Zimbra webmail application context, enabling the attacker to perform unauthorized actions on behalf of the victim such as reading emails, modifying settings, or sending messages. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today