Synced 17 Jun 2026 22:27 UTC Account
← All products

CVE-2025-48700

MEDIUM severity · CVSS 6.1 · Cross-site scripting (XSS) · actively exploited (CISA KEV)
6.1CVSS MEDIUM exploited
Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Added to KEV 2026-04-20. US federal agencies must patch by 2026-04-23.

Summary

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)2%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

Zimbra Collaboration Suite (ZCS)

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

Additional information