Zimbra has told customers to patch immediately. Google’s Threat Analysis Group found a critical Zimbra XSS vulnerability in the platform’s Classic Web Client. A single crafted email, once opened, can run malicious code inside the victim’s active session. That exposes mailbox contents, session tokens and account settings.
Table of Contents
What the Zimbra XSS vulnerability actually does
The bug is a stored cross-site scripting issue. Attackers embed JavaScript inside an email’s content. When a Classic Web Client user opens that message, the browser runs the script as though it came from Zimbra itself. The client trusts data it should not.
The code is stored, not reflected. It does not need a victim to click a link. Opening the email is enough. The payload can fire again each time the message is reopened, until someone removes it.
Zimbra says a successful attack could hand over mailbox information, session data or account settings. Security Affairs reports the exposure can reach further. That includes saved credentials, two-factor codes and up to 90 days of email history.
No CVE yet, but Google’s involvement matters
As of publication, the flaw has no assigned CVE identifier. That is unusual for a bug serious enough to prompt an emergency advisory. It has not slowed the response. Google’s Threat Analysis Group tracks state-sponsored hacking. Its name on the discovery credit is a signal worth reading. TAG does not typically spend time on routine webmail bugs.
Zimbra has not confirmed active exploitation of this specific flaw. Even so, the advisory leans on the platform’s history. XSS bugs in Zimbra have been a recurring target since at least December 2021, and the pattern has continued. CVE-2025-27915 was reportedly used against Brazilian military targets. CVE-2023-37580 saw its own round of exploitation.
Why this keeps happening to Zimbra
The most relevant precedent arrived only months ago. In March 2026, researchers linked Russia’s APT28 to an operation called GhostMail. It abused a related Zimbra XSS flaw, tracked as CVE-2025-66376, against Ukrainian targets. The campaign hit a maritime agency in late January and the State Hydrology Agency. Attackers used compromised student email accounts to deliver phishing messages that hid JavaScript designed to exfiltrate data over DNS and HTTPS tunnels.
Zimbra runs mail for hundreds of millions of users worldwide, including thousands of businesses and hundreds of government bodies, according to BleepingComputer’s reporting. That scale matters. Combined with a documented history of interest from groups such as Winter Vivern, APT29 and APT28, it is why this Zimbra XSS vulnerability deserves same-day attention despite having no CVE number yet, not a slot in next month’s patch cycle.
The fix, and what it does not cover
Zimbra shipped the fix for the Zimbra XSS vulnerability in Zimbra Collaboration Suite 10.1.19, released on 7 July 2026. The advisory is direct: any organisation still running the Classic Web Client should upgrade as soon as possible. Users of the newer, non-Classic web interface are not affected by this particular bug.
The same release carries forward separate mitigation guidance for an SNMP-related issue. Organisations moving up from ZCS 10.0.x, 9.0.x or 8.8.15 need to reapply that mitigation after upgrading. Those already on a patched 10.1.x branch keep their existing protection.
Patching stops new attacks. It does not retroactively defang a malicious email already sitting in an inbox. Because the payload is stored, a message delivered before the patch could still fire the moment someone opens it post-upgrade. Anyone running vulnerable Zimbra infrastructure should treat this as a two-step job. Upgrade the server first, then have IT sweep recent mail for anything that looks like a crafted, script-bearing message before calling the incident closed.
What to watch next
Expect a CVE identifier to follow within days. Zimbra’s advisories have historically picked one up shortly after publication, once the company finishes its internal review. The absence of a number now should not be read as a sign the Zimbra XSS vulnerability is minor. Severity and paperwork move on different clocks.
Watch for two things over the coming weeks. First, whether Zimbra or a third party confirms exploitation in the wild, which would move this from a precautionary patch to an active-incident story. Second, whether any UK or European regulator references the flaw directly, given how many public-sector bodies and regulated firms run Zimbra internally. Neither has happened yet, but both are worth a calendar reminder rather than a shrug.
For now, the practical story is simple. A well-resourced research team found a serious hole in software that hundreds of millions of people rely on for email. Zimbra fixed it quickly. The organisations that come out of this unscathed will be the ones that patched just as quickly, not the ones that waited for a CVE number to make it feel official.
Subscribe to our newsletter
Honest updates, straight to your inbox. Unsubscribe any time.