THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, affecting Microsoft SharePoint and Zimbra Collaboration Suite. The identified flaws are CVE-2026-20963 (CVSS 8.8) described as Microsoft SharePoint Deserialization of Untrusted Data Vulnerability, and CVE-2025-66376 (CVSS 7.2) a Synacor Zimbra Collaboration Suite Cross-Site Scripting Vulnerability.
The advisory notes that the first vulnerability enables an unauthenticated attacker to write arbitrary code and execute code remotely on the SharePoint Server in a network-based attack. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address these vulnerabilities by the due dates. CISA orders federal agencies to fix CVE-2026-20963 by 21 March 2026 and CVE-2025-66376 by 1 April 2026. Experts likewise urge private organisations to review the KEV Catalog and address the vulnerabilities within their infrastructure.