Zimbra has released an urgent update to address a critical security vulnerability in its Classic Web Client, which could allow attackers to execute arbitrary code through specially crafted emails. This flaw, identified as a stored cross-site scripting (XSS) vulnerability, enables malicious scripts to run within a user’s session upon opening a compromised email.
The vulnerability arises from inadequate validation of email content, permitting attackers to embed harmful JavaScript code. When a user opens such an email, the script executes in their browser, potentially leading to unauthorized access to mailbox information, session data, or account settings.
Cross-site scripting vulnerabilities occur when web applications fail to properly sanitize user input, allowing attackers to inject malicious scripts. Stored XSS, in particular, involves the permanent storage of these scripts on the server, making them a persistent threat to users who access the compromised content.
While there is no current evidence of this specific vulnerability being exploited in the wild, similar XSS flaws in Zimbra have been targeted by attackers in the past. For instance, in October 2025, a stored XSS vulnerability in the Classic Web Client (CVE-2025-27915) was reportedly exploited in attacks against the Brazilian military. Additionally, other XSS vulnerabilities, such as CVE-2023-37580 and CVE-2024-27443, have been leveraged by threat actors in previous incidents.
Given the potential for abuse, Zimbra strongly recommends that users upgrade to Zimbra Collaboration Suite version 10.1.19 to mitigate this risk. This update addresses the identified vulnerability and enhances the overall security of the platform.
In the broader context, this incident underscores the persistent threat posed by XSS vulnerabilities in web applications. Organizations must prioritize regular security assessments and timely patching to protect against such exploits. Users should remain vigilant, exercise caution when opening emails, and ensure their software is up to date to safeguard against potential attacks.