CVE-2025-66376 is a stored XSS vulnerability in Zimbra Collaboration's Classic UI that allows remote attackers to execute malicious scripts via CSS @import directives in HTML emails. This vulnerability affects internet-facing email servers and has been actively exploited by Russian APT groups.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-05
Added to CISA KEV: 2026-03-18 72 DAYS BETWEEN CVE AND KEV
This CVE record has been marked for NVD enrichment efforts. Description. Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.CVE Dictionary Entry: CVE-2025-66376 NVD Published Date: 01/05/2026 NVD Last Modified: 01/08/2026 Source: MITRE.
CVE-2025-66376 is a stored cross-site scripting flaw in Zimbra Collaboration Suite that exploits CSS @import directives in HTML emails. This article covers technical details, affected versions, impact, and mitigation.
Operation GhostMail uncovers a Russian APT campaign exploiting a Zimbra XSS vulnerability (CVE-2025-66376) to target a Ukrainian government agency via phishing emails and browser-based data exfiltration.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ...
This vulnerability is reported as CVE-2025-66376. The attack can be launched remotely. No exploit exists. The affected component should be upgraded. VulDB is the best source for vulnerability data and more expert information about this specific topic.This vulnerability is traded as CVE-2025-66376 since 11/28/2025. The exploitability is told to be easy. It is possible to launch the attack remotely.