Zimbra Collaboration Suite Cross-Site Scripting Vulnerability

Release Date: 6 Oct 2025

RISK: High Risk

TYPE: Servers - Internet App Servers

A vulnerability has been identified in Zimbra Collaboration Suite. A remote attacker could exploit this vulnerability to trigger cross-site scripting on the targeted system.

 

Note:

CVE-2025-27915 is being exploited in the wild. A stored cross-site scripting vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. Hence, the risk level is rated as High Risk.

---

Impact

• Cross-Site Scripting

---

System / Technologies affected

• Zimbra Collaboration Kepler prior to 9.0.0 P44
• Zimbra Collaboration Daffodil prior to 10.0.13
• Zimbra Collaboration Daffodil prior to 10.1.5

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes
• https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes
• https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes

---

Vulnerability Identifier

• CVE-2025-27915

---

Source

• Zimbra

---

Related Link

• https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P44#Security_Fixes
• https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.13#Security_Fixes
• https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.5#Security_Fixes
• https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/