theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-66376

CISA KEV

Published March 18, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2025-66376: Zimbra ZCS CSS @import XSS in Classic UI** Zimbra Collaboration Suite's Classic UI fails to sanitize CSS @import directives in incoming HTML emails, allowing attackers to inject arbitrary JavaScript that executes in victims' browsers with their session privileges. An attacker can craft a malicious email containing `@import` statements that load external stylesheets containing JavaScript payloads, enabling session hijacking, credential theft, or mailbox access. Patch immediately using Synacor's security update; block or filter emails with CSS @import directives at the gateway as a temporary control; audit ZCS logs for suspicious email processing and user sessions from unfamiliar IPs or user-agents.

Official Description+

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.

Affected Products

VendorProduct
SynacorZimbra Collaboration Suite (ZCS)

Patch Status

Patch by 2026-04-01

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-66376.

Related Coverage

Vvulnerability

CVE-2025-66376: Zimbra Collaboration Suite Classic UI Vulnerable to CSS @import XSS Attack

CVE-2025-66376 is a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite's Classic UI that allows unauthenticated attackers to inject JavaScript via CSS @import directives in HTML emails. Successful exploitation enables session hijacking, credential theft, and full mailbox access within the victim's authenticated session. CISA requires federal agencies to apply Synacor's patch by April 1, 2026.

CISA KEV·16d ago·3 min read