ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) catalog lists CVE-2025-66376 as a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS), specifically in the Classic UI where attackers could abuse CSS @import directives in email HTML. The entry notes that the vulnerability is “Unknown” in terms of being used in ransomware campaigns.
Mitigations should be applied per vendor instructions, with guidance to follow BOD 22-01 where cloud services are involved, or to discontinue use of the product if mitigations are unavailable. Date Added for this item is 18 March 2026, with a due date of 01 April 2026. The page also provides related references to Zimbra security advisories and the NIST CVE detail for CVE-2025-66376. This KEV listing forms part of CISA’s effort to prioritise vulnerabilities exploited in the wild to help organisations manage risks.