Zimbra Patches Critical XSS That Runs Code When Opening Emails
Zimbra urges immediate patching for a stored XSS flaw in Classic Web Client that executes malicious code when users open crafted emails. Google TAG reported the vulnerability.
Zimbra released an emergency update on July 8 to patch a critical stored cross-site scripting vulnerability in the Classic Web Client that executes malicious code simply by opening a crafted email. The flaw was reported by Google's Threat Analysis Group, which typically investigates zero-day exploits used by state-sponsored actors.
The vulnerability has not yet been assigned a CVE identifier. Zimbra described the issue as a security flaw "where a specially crafted email could run malicious code when the email is opened." Successful exploitation could enable attackers to obtain session data, account settings, and mailbox information.
Attack Vector and Impact
The stored XSS vulnerability triggers when a user views a malicious email in Zimbra's Classic Web Client (also called Classic UI). Unlike reflected XSS that requires victims to click malicious links, stored XSS payloads persist in the email itself, executing automatically when the message is opened.
This makes the attack particularly dangerous for enterprise environments where employees routinely open emails from unknown senders. An attacker could send a specially formatted email to any Zimbra user, and the malicious payload would execute in the victim's browser session as soon as they viewed it.
Compromised sessions could allow attackers to read emails, access contacts, modify account settings, or use the compromised account to send additional malicious emails to internal contacts, potentially enabling lateral movement through an organization's email infrastructure.
Google TAG Involvement Suggests Active Targeting
Google's Threat Analysis Group focuses on government-backed hacking and advanced persistent threats. Their involvement in reporting this vulnerability suggests either active exploitation or significant interest from sophisticated threat actors.
Zimbra has not confirmed whether the flaw is currently being exploited in the wild, but the combination of a critical severity, low attack complexity, and TAG involvement warrants treating this as an urgent priority.
Zimbra has historically been an attractive target for nation-state actors. We've tracked multiple campaigns targeting email infrastructure throughout 2026, and Zimbra's widespread deployment in government and enterprise environments makes it particularly valuable to threat actors seeking persistent access to communications.
Affected Versions and Patch
The vulnerability affects the Classic Web Client in Zimbra Collaboration Suite versions prior to 10.1.19. Organizations should upgrade immediately to the patched release.
For environments where immediate patching isn't possible, Zimbra recommends temporarily disabling the Classic Web Client and requiring users to access email through the Modern Web Client, which is not affected by this vulnerability.
XSS Vulnerabilities in Zimbra: A Pattern
This disclosure continues a troubling pattern of XSS vulnerabilities in Zimbra's web interface. Similar flaws have been exploited as far back as December 2021, with attackers using email-based exploits to compromise mailboxes and establish persistence.
The Classic Web Client in particular has accumulated multiple security issues over the years. Organizations still using it should evaluate whether migration to the Modern Web Client is feasible, as it presents a smaller attack surface.
Recommendations
- Patch immediately by upgrading to Zimbra Collaboration Suite 10.1.19
- Disable Classic Web Client if immediate patching isn't possible
- Review email logs for unusual patterns that could indicate exploitation attempts
- Monitor user sessions for signs of session hijacking or unauthorized access
- Consider email sandboxing to isolate potentially malicious messages before they reach user inboxes
Organizations running Zimbra should treat this patch as critical priority given the low barrier to exploitation and the involvement of Google's threat intelligence team in its discovery.
Related Articles
Microsoft Finally Patches Exchange OWA Zero-Day After 26-Day Wait
Microsoft releases CVE-2026-42897 fix for Exchange Server OWA XSS vulnerability exploited since May. ESU-only updates for 2016/2019 leave many systems exposed.
Jun 12, 2026Exchange OWA Zero-Day CVE-2026-42897 Exploited — No Patch
Microsoft Exchange Server zero-day CVE-2026-42897 enables session hijacking via malicious emails. Active exploitation confirmed with no permanent fix available.
Jun 1, 2026Exchange Server Zero-Day CVE-2026-42897 Exploited via Crafted Emails
Microsoft confirms active exploitation of CVE-2026-42897, an XSS flaw in Exchange OWA that executes JavaScript via malicious emails. No patch available yet.
May 16, 2026Apple Patches Zero-Day Used in 'Sophisticated' Attacks
CVE-2026-20700 memory corruption flaw in dyld exploited against targeted individuals. Google TAG credited with discovery. Patch now for iOS, macOS, watchOS.
Feb 15, 2026