Zimbra Warns of XSS Vulnerability in Classic Web Client That Could Allow Malicious Code Execution via Email

Views: 70 views

380/69 Monday, July 13, 2026

Zimbra has issued an advisory urging users to update its software to fix a serious vulnerability affecting the Classic Web Client. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) flaw that could allow attackers to send specially crafted emails to execute malicious scripts in a user’s session when the email is opened. At the time of reporting, the vulnerability had not yet been assigned a CVE identifier.

Zimbra stated that if the vulnerability is exploited, attackers could access data in the user’s mailbox, session data, or account settings. XSS vulnerabilities occur when a web application displays untrusted data on a web page without properly validating or sanitizing characters. This allows attackers to inject and execute malicious JavaScript in the victim’s browser, which could lead to session hijacking, credential theft, or account takeover. Stored XSS, also known as Persistent XSS, is a form of XSS in which the malicious script is stored on the target server and executes when a user opens the page or content containing the script.

Although Zimbra has not stated whether this vulnerability has already been exploited in attacks, XSS vulnerabilities in Zimbra have repeatedly attracted attacker interest and have been used as attack vectors in the past, including CVE-2023-37580 and CVE-2024-27443. Another Stored XSS vulnerability in the Classic Web Client, tracked as CVE-2025-27915, was previously reported as potentially being exploited as a zero-day in attacks targeting Brazilian military entities, although Zimbra stated at the time that it had found no evidence supporting the claim. Given the high risk that this type of vulnerability could be exploited in attacks, users should update to Zimbra Collaboration Suite version 10.1.19 to ensure appropriate protection.

Source: https://thehackernews.com/2026/07/critical-zimbra-flaw-could-let-crafted_0483473395.html