#VU126623 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Zimbra Collaboration - CVE-2025-48700
Published: December 17, 2024 / Updated: April 21, 2026
Vulnerability identifier: #VU126623
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-48700
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Zimbra Collaboration
Zimbra Collaboration
Software vendor:
Synacor Inc.
Synacor Inc.
Description
The vulnerability allows a remote attacker to load malicious CSS.
The vulnerability exists due to improper neutralization of special elements in style tags in the HTML content handling in Zimbra Classic UI when rendering crafted HTML content containing encoded @import statements in "style" tags. A remote attacker can send crafted HTML content to load malicious CSS.
Remediation
Install security update from vendor's website.