Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes
Publish Date: 2026-07-10 17:08:00
Source Domain: securityaffairs.com
Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes
Pierluigi Paganini
July 10, 2026

Zimbra addressed a critical stored XSS vulnerability in its Classic Web Client that lets malicious emails execute code when opened.
Zimbra has released version 10.1.19 to fix a critical stored XSS vulnerability in its Classic Web Client, which is widely used to access Zimbra Collaboration. The flaw, which has not yet received a CVE ID, can be exploited by sending specially crafted emails that execute malicious code when opened in the Classic UI. Successful exploitation could allow attackers to access to mailbox information, session data, or account settings.
“The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened. If exploited, it could allow access to mailbox information, session data, or account settings.” reads the advisory
“We strongly recommend all customers to upgrade to ZCS v10.1.19 to ensure they have received the latest security patches, bug fixes, and enhancements.”
Google’s Threat Analysis Group discovered the vulnerability.
Although there is no evidence of active exploitation yet, organizations using the Classic Web Client should update as soon as possible.
Since the beginning of 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added [1, 2, 3] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2025-68645 (CVSS score of 8.8) Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
- CVE-2020-7796 (CVSS score of 9.8) Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
- CVE-2025-66376 (CVSS score of 7.2) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability.
In March, Russia-linked APT group, likely APT28 (aka…