Changeflow GovPing Data Privacy & Cybersecurity CISA KEV: Zimbra Collaboration XSS Vulnerabilit...
Urgent Notice Added Final

CISA KEV: Zimbra Collaboration XSS Vulnerability CVE-2025-66376

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published March 18th, 2026
Detected March 19th, 2026
Email

Summary

CISA has added a known exploited vulnerability, CVE-2025-66376, affecting Zimbra Collaboration. This cross-site scripting (XSS) vulnerability requires immediate attention from federal agencies and organizations using the affected software.

View original document View source feed page

What changed

CISA has added CVE-2025-66376, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration (ZCS) versions prior to 10.0.18 and 10.1.13, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, rated HIGH with a CVSS score of 7.2, allows for XSS attacks via Cascading Style Sheets (CSS) @import directives in HTML emails.

Federal agencies are mandated to patch or mitigate this vulnerability by March 18, 2026. Other organizations using Zimbra Collaboration should prioritize patching to the latest versions to protect against active exploitation. Failure to address this vulnerability could lead to unauthorized access, data compromise, and further system compromise.

What to do next

  1. Apply security updates to Zimbra Collaboration versions 10.0 and 10.1 to address CVE-2025-66376.
  2. Verify that all affected Zimbra Collaboration instances are patched or mitigated.
  3. Review security logs for any signs of exploitation related to this vulnerability.

Source document (simplified)

Required CVE Record Information

CNA: MITRE Corporation

Description

Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

CWE 1 Total

Learn more
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.2 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |

Product Status

Learn more Versions 2 Total

Default Status: unaffected

affected

  • affected from 10.0 before 10.0.18

  • affected from 10.1 before 10.1.13

References 5 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-19

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | partial | 2.0.3 | 2026-03-17 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376 (2026-03-18)

Related changes

Favicon for www.cisa.gov CISA KEV: Microsoft SharePoint RCE Vulnerability (CVE-2026-20963)
Urgent Mar 19, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Wing FTP Server Path Disclosure Vulnerability
Priority review Mar 17, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov V8 in Chrome Vulnerable to Code Execution
Priority review Mar 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.commerce.alaska.gov Alaska Advisory on Email Account Scams and Cybercrime Protection
Priority review Mar 19, 2026 Alaska DBS - News and Alerts Government General
Favicon for www.nist.gov NIST CSWP 37A Automation of the Cryptographic Module Validation Program
Routine Mar 19, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.cyber.nj.gov Monroe University Data Breach Affects 320,000 Individuals
Priority review Mar 18, 2026 NJ Cybersecurity: Public Data Breaches Government General

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 18th, 2026
Compliance deadline
March 18th, 2026 (1 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
National (US) National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Cross-site Scripting (XSS)

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 211 Consumer Protection 35 Courts & Legal 243 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 102 Environment 81 Government & Legislation 240 Healthcare 106 Housing 15 Immigration 8 Insurance 56 Labor & Employment 107 Pharma & Drug Safety 72 Securities & Markets 73 Tax 48 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.