{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "10.0.0" }, { "fixed": "10.0.18" }, { "introduced": "10.1.0" }, { "fixed": "10.1.13" } ] }, "events": [ { "introduced": "b68c7b31a1d94f94903a79c53f1bd316b792de1d" }, { "fixed": "c2fac09a3333bcb767866afa3203541da2e8729c" }, { "introduced": "52b539ef205db233bfd8116e8130e27735b4153c" }, { "fixed": "1884e94c76d9602c75dff36c9ff9a5ec2224c582" } ], "repo": "https://github.com/zimbra/zm-build", "type": "GIT" } ] } ], "details": "Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.", "id": "CVE-2025-66376", "modified": "2026-04-01T23:09:37.521024006Z", "published": "2026-01-05T15:15:44.903Z", "references": [ { "type": "WEB", "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376" }, { "type": "ADVISORY", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes" }, { "type": "ADVISORY", "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes" }, { "type": "ADVISORY", "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories" }, { "type": "ADVISORY", "url": "https://wiki.zimbra.com/wiki/Security_Center" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }