Zimbra patched a flaw that let hackers hijack accounts just by sending an email

Facepalm: Popular collaboration platform Zimbra was recently updated to patch a potentially dangerous vulnerability in its Classic Web Client component. In theory, malicious actors could abuse the flaw to run script-based malware directly on users’ machines. Needless to say, customers are advised to install the update as soon as possible.

Zimbra owner Synacor has released a new version of its collaboration software, and users should install the update as soon as they can. Zimbra “Daffodil” 10.1.19 includes a fix for a stored cross-site scripting (XSS) vulnerability that could be exploited to compromise customers’ machines through Zimbra’s Classic Web Client.

Cybercriminals could abuse the flaw by sending specially malformed email messages, Zimbra said. A vulnerable client would run the malicious code the moment the message is opened. While the company rates the deployment risk as “low,” the flaw could still prove dangerous for users’ session data, mailbox information, or account settings.

Cross-site scripting vulnerabilities are a common class of security issue routinely abused by resourceful attackers. An XSS flaw lets attackers inject client-side, malicious scripts into web pages viewed by other users. A “stored” XSS bug like Zimbra’s is an especially dangerous variant, since the malicious script is permanently saved on the server rather than triggered on the fly.

Zimbra’s security guidance states that all customers using the Classic Web Client should update the component to the latest available version. Additional advice is given for those using custom SNMP mitigations. So far, the XSS flaw has not been assigned a CVE identifier.

At any rate, malicious actors have been trying to target Zimbra with XSS vulnerabilities for almost five years now.

In October 2025, yet another persistent XSS bug in the Classic Web Client (CVE-2025-27915) was allegedly exploited in zero-day attacks targeting Brazilian military personnel. Other XSS-based attacks targeted Zimbra’s platform in May 2025 and 2023.

Though it has existed in various forms for more than two decades, Zimbra has changed hands several times over the years. The company was purchased by Yahoo! in 2007, sold to VMware three years later, and finally acquired by Buffalo-based service company Synacor in 2015. Zimbra provides collaboration tools, email servers, and web clients in both open source and commercially supported editions. However, the latest open source versions of Zimbra products no longer include official, free binary builds.

Scroll to Top