CVE-2025-66376

HighCISA KEVActive Exploitation

Published: 05 January 2026

Published

05 January 2026

Modified

18 March 2026

KEV Added

18 March 2026

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.1090 93.5th percentile

Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66376 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the stored XSS vulnerability by requiring timely application of Zimbra patches in versions 10.0.18 and 10.1.13 that fix improper CSS @import handling.

SI-15 Information Output Filtering good match

prevent

Prevents XSS execution by filtering malicious CSS @import directives in HTML email outputs when rendered in the Classic UI.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes incoming HTML email content to block storage of malicious CSS @import directives on the server-side.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS in public-facing Zimbra webmail (T1190) allows unauthenticated attackers to send malicious HTML emails that execute JavaScript in victim browsers, enabling session hijacking via web session cookie theft (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

Deeper analysisAI

CVE-2025-66376 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in the Classic UI of Zimbra Collaboration Suite (ZCS) versions 10 before 10.0.18 and 10.1 before 10.1.13. It arises from the improper handling of Cascading Style Sheets (CSS) @import directives embedded in HTML email messages, allowing malicious payloads to be stored and executed when rendered in the Classic UI.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N), as indicated by its CVSS v3.1 base score of 7.2 (S:C/C:L/I:L/A:N). By sending a crafted HTML email containing a malicious CSS @import directive, the attacker can store the payload server-side. When victims access the email via the affected Classic UI, the XSS executes in the context of the Zimbra application, potentially enabling session hijacking, data theft, or further compromise with low confidentiality and integrity impacts due to the changed scope.

Zimbra's security advisories and release notes for versions 10.0.18 and 10.1.13 document fixes for this issue, recommending immediate upgrades to these patched releases. Additional guidance is available in the Zimbra Security Center, Security Advisories, and Responsible Disclosure Policy on their wiki.