A cross-site scripting flaw in the Zimbra Collaboration Suite Classic UI lets attackers run arbitrary JavaScript in a user's session simply by getting them to open a crafted email, and CISA has added it to the KEV catalog with confirmed active exploitation.
What Is It
CVE-2025-48700 is a stored XSS vulnerability in the Zimbra Classic UI caused by insufficient sanitization of HTML content in email messages. Crafted tag structures and attribute values, including @import directives and other script-injection vectors, bypass the sanitizer, allowing arbitrary JavaScript to execute inside the victim's authenticated session. Triggering the bug requires only that the user view a malicious email in the Classic UI; no further interaction is needed. NVD rates it CVSS 3.1 base score 6.1 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (scope-changed, low confidentiality and integrity impact).
Why It Matters
CISA added CVE-2025-48700 to the Known Exploited Vulnerabilities catalog on 2026-04-20, confirming in-the-wild exploitation. Successful exploitation can lead to unauthorized access to sensitive information in the victim's mailbox and session context; credentials, mail content, contacts, and any data reachable from the Zimbra web session. Because the trigger is just opening a message in the Classic UI, the attack works against any user who reads email, with no clicks required beyond viewing. Known ransomware use is currently listed as Unknown.
What's Vulnerable
Per the NVD record, affected versions of Synacor Zimbra Collaboration Suite include:
- 8.8.15 (all enumerated patch levels, p1 through p25+)
- 9.0
- 10.0.0 up to (but not including) 10.0.12
- 10.1.0 up to (but not including) 10.1.4
The vulnerable surface is specifically the Zimbra Classic UI mail rendering path.
Patch Status
CISA's required action: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." The KEV-listed due date for U.S. federal civilian agencies was 2026-04-23. Fixed releases implied by the NVD CPE ranges are 10.0.12 and 10.1.4 and later; refer to Zimbra's Security Advisories wiki for the authoritative advisory and patch guidance.