Severe Zimbra Flaw Runs Malicious Code Directly in Your Inbox

Zimbra's software has becomes a target for malware execution
Since older versions of Zimbra's Classic Web Client are considered highly vulnerable, all users and organizations are advised to upgrade to Zimbra version 10.1.19 as soon as possible. No attacks are currently documented with this specific XSS exploit at this point in time, but it is important to keep security software up-to-date before an exploit becomes widely-used.
It's unfortunate that Zimbra had to patch yet another XSS exploit, but at least the company acted quickly. Meanwhile at Apple, its premium iCloud+ Hide My Email feature has been vulnerable to bypass for over a year. Last year also included a mass credential leak for webmail providers including iCloud, though the leak was focused mostly on Gmail. In light of stories like that, quick patches from Zimbra are a welcome development.
As The Hacker News points out, XSS vulnerabilities have a long history of discovery and use against Zimbra and its contemporaries. One interesting example happened last October, where an XSS vulnerability (CVE-2025-27915) was allegedly used against the Brazilian military, though Zimbra claimed that no evidence had been found of such an attack.
Image Credit: Zimbra