Zimbra released version 10.1.19 of its collaboration suite on July 7, 2026, to close a stored cross-site scripting vulnerability in the Classic Web Client. The flaw lets an attacker embed malicious script inside a specially crafted email so that simply opening the message in a browser session is enough to run code in the context of the logged-in user, no attachment download and no link click required. Zimbra has not yet assigned the issue a CVE number, but it has pushed the fix through updated zimbra-patch and zimbra-mbox-webclient-war packages and is urging every customer running the Classic Web Client to update immediately.
Why this one deserves urgency
Stored XSS inside a webmail client is about as dangerous as email vulnerabilities get, because the attack surface is the inbox itself. An email is the payload delivery mechanism and the exploit target at the same time, and the victim does not need to do anything beyond opening a message that looks unremarkable. A successful exploit can expose mailbox contents, session tokens, and account settings, which in turn opens the door to further compromise of anything else that mailbox has access to, from shared drives to connected admin panels.
The flaw was reported by Google’s Threat Analysis Group, the unit that specialises in tracking state-backed and financially motivated actors who buy or build exploits for high-value targets. TAG involvement does not automatically mean active exploitation, but it is a strong signal that this class of bug is the kind sophisticated attackers go looking for, and Zimbra’s webmail clients have a long history of exactly that: XSS flaws in Zimbra have been weaponised by real attackers going back to at least 2021.
Why Zimbra specifically matters for European organisations
Zimbra is one of the more common choices for organisations that want to run email on their own infrastructure rather than hand it to a large US cloud provider, whether that is driven by budget, data residency requirements, or a broader push toward digital sovereignty. Public administrations, universities, and mid-sized businesses across Europe run Zimbra precisely because it gives them that control. The tradeoff is that patching responsibility sits entirely with the organisation running it. There is no cloud vendor quietly rolling out the fix in the background; if your team does not apply 10.1.19, the vulnerable code stays live.
What to do now
Update to Zimbra 10.1.19 across every Classic Web Client deployment as the first step, and confirm the update actually applied to both the zimbra-patch and zimbra-mbox-webclient-war components rather than assuming a partial patch cycle covered it. Review webmail access logs for unusual session activity around the disclosure window, and consider whether your organisation’s Zimbra deployment is a good candidate for migrating high-risk users to the Modern Web Client, which was not affected by this flaw. If you are not certain whether your instance is patched, treat that uncertainty as the problem to fix today.
If you run Zimbra or any self-hosted email platform and want a second set of eyes on your patch cadence, session security, or a broader review of how exposed your webmail infrastructure really is, contact Excello Digital. We help European organisations keep sovereign, self-hosted infrastructure both independent and secure.
