Main Vulnerability Database Vulnerabilities #VU126623

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Zimbra Collaboration - CVE-2025-48700

Published: December 17, 2024 / Updated: April 21, 2026

Vulnerability identifier: #VU126623

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2025-48700

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Synacor Inc.

Affected software:
Zimbra Collaboration

Detailed vulnerability description

The vulnerability allows a remote attacker to load malicious CSS.

The vulnerability exists due to improper neutralization of special elements in style tags in the HTML content handling in Zimbra Classic UI when rendering crafted HTML content containing encoded @import statements in "style" tags. A remote attacker can send crafted HTML content to load malicious CSS.

How to mitigate CVE-2025-48700

Install security update from vendor's website.

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Zimbra Collaboration - CVE-2025-48700

Detailed vulnerability description

How to mitigate CVE-2025-48700

Sources

Please verify you're human