• Category: Security
  • Status: confirmed
  • Sources: Zimbra 10.1.19 release, Security Affairs
  • Summary: Zimbra released ZCS 10.1.19 (Daffodil) on 2026-07-07 fixing a stored cross-site scripting flaw in the Classic Web Client. A crafted email can carry JavaScript that runs in a recipient's authenticated webmail session when the message is opened or previewed, enabling session-cookie theft, actions on the victim's behalf, and mailbox data access. Zimbra published no CVE id or CVSS score and urges any Classic Web Client user to upgrade as soon as possible. No active exploitation is reported.
  • Why it matters: Zimbra webmail is a recurring target with prior exploited flaws, and a stored-XSS-to-session-takeover in the default classic client is a direct mailbox-compromise path for self-hosted deployments.
  • Follow-up: Watch for a CVE assignment, any active-exploitation or CISA KEV addition, and internet-exposure scans of unpatched Classic Web Client hosts.

Send feedback on this story