Zimbra has released Collaboration Suite 10.1.19 to patch a critical stored cross-site scripting vulnerability in the Classic Web Client interface, the older UI still deployed at a large share of self-hosted Zimbra installations. The flaw has not yet been assigned a CVE identifier, but the report came from Google’s Threat Analysis Group (TAG), the team that specializes in tracking exploitation by state-backed actors — a provenance that alone justifies moving this to the top of the patch queue even though Zimbra says it has not observed exploitation of this specific bug in the wild.

What happened

The vulnerability is a stored XSS: a specially crafted email, when opened in the Classic Web Client, causes attacker-controlled JavaScript to execute in the victim’s authenticated session. Unlike reflected XSS variants that need a victim to click a malicious link, stored XSS just needs the message to render — no interaction beyond opening mail that already landed in the inbox. Zimbra has not published the injection point (which MIME header or message body field escapes sanitization), which is standard practice until enough of the install base has patched.

Once script executes inside a live Zimbra session, an attacker can pull whatever the webmail session can see: message contents and attachments, contacts, calendar data, and — critically — session cookies and CSRF tokens. Those tokens can be replayed to perform authenticated actions as the victim, including setting up auto-forwarding rules that quietly exfiltrate all future mail, changing account recovery settings, or pivoting to the admin console if the compromised mailbox belongs to a Zimbra administrator.

Why the Classic Web Client, and why it matters

Classic Web Client is Zimbra’s legacy Ajax-based interface, kept around for compatibility even as Zimbra pushes customers toward the newer “Modern” UI. It remains the default or only option for a meaningful number of government, education, and enterprise deployments that haven’t migrated. Attackers that profile Zimbra targets before sending exploit mail — trivial, since the UI choice is often visible from public webmail login pages or Outlook-style headers — can reliably pick victims still running the vulnerable interface.

This is not Zimbra’s first XSS to draw nation-state attention. CISA ordered federal agencies in March 2026 to patch CVE-2025-66376, another Zimbra XSS that APT28-linked operators used against Ukrainian government mailboxes. Zimbra’s history of XSS in webmail interfaces exploited by APT28 and Winter Vivern (UNC4907) against government email is well documented going back to 2023’s CVE-2023-37580. TAG involvement here is consistent with that pattern of espionage actors treating Zimbra webmail as a reliable initial-access vector against public sector targets.

Affected versions and mitigation

Zimbra 10.1.19 fixes the flaw; every version below it that still ships the Classic Web Client should be treated as vulnerable. Action items:

  • Upgrade to Zimbra Collaboration Suite 10.1.19 immediately. There is no documented workaround short of disabling the Classic Web Client entirely and forcing users onto the Modern UI, which itself requires user retraining and isn’t a substitute for patching.
  • If you cannot patch same-day, consider temporarily disabling Classic Web Client access via zmprov and redirecting logins to the Modern interface, which is not affected by this flaw.
  • Audit mail flow logs for anomalous auto-forward rule creation or mailbox filter changes in the days before and after patch deployment — the classic post-exploitation signature for this bug class.
  • Rotate session tokens and force re-authentication for any accounts, especially administrative ones, that accessed Classic Web Client in the exposure window.
  • Treat government, defense-adjacent, and other espionage-attractive Zimbra deployments as priority patch targets given TAG’s involvement and the vendor’s track record with this exact bug class.

Zimbra’s release notes for 10.1.19 are on the Zimbra blog; coverage from BleepingComputer and The Hacker News has the clearest independent summaries. No CVE means no CISA KEV entry yet, but expect one to follow quickly if the exploitation pattern from prior Zimbra XSS bugs repeats.