CVE-2025-66376 - Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Project:Synacor
Product:Zimbra Collaboration Suite (ZCS)
Date Added:2026-03-18Due Date:2026-04-01
Vulnerability Name
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
Description
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://nvd.nist.gov/vuln/detail/CVE-2025-66376
Related News Articles
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacksApril 24, 2026
Russian hackers exploit Zimbra flaw in Ukrainian govt attacksMarch 19, 2026
CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware AttacksMarch 19, 2026
CISA orders feds to patch Zimbra XSS flaw exploited in attacksMarch 19, 2026