CVE-2025-48700: Zimbra XSS Vulnerability in Classic UI
Summary
CISA added CVE-2025-48700 to its Known Exploited Vulnerabilities catalog. The vulnerability is a medium-severity (CVSS 6.1) cross-site scripting flaw in Zimbra Collaboration Suite versions 8.8.15, 9.0, 10.0, and 10.1, affecting the Classic UI. Attackers can execute arbitrary JavaScript within user sessions by sending crafted emails, enabling unauthorized access to sensitive information. SSVC classification indicates active exploitation with no automatable exploit path.
“A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.”
What changed
CISA added CVE-2025-48700 to its Known Exploited Vulnerabilities catalog. The vulnerability affects Zimbra Collaboration Suite versions 8.8.15 through 10.1, allowing attackers to execute arbitrary JavaScript through crafted email messages in the Classic UI. This is a CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability.
Organizations running affected Zimbra versions should prioritize patching. Federal civilian agencies are subject to Binding Operational Directive 22-01 remediation timelines for KEV catalog entries. The SSVC 'active' exploitation designation signals that this vulnerability is being used in ongoing attacks, elevating remediation urgency.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: MITRE Corporation
Updated:
2025-06-23
Description
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction.
Product Status
Learn more Information not provided
References 3 Total
- https://wiki.zimbra.com/wiki/ZimbraSecurityAdvisories
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/ZimbraResponsibleDisclosure_Policy
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | partial | 2.0.3 | 2026-04-20 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700 (2026-04-20)
CWE 1 Total
Learn more
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 6.1 | MEDIUM | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Mentioned entities
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.