COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2025-48700

CVE-2025-48700

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-04-20
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-48700
⚡ RCE ⌖ exploited in the wild shame 45/100 rceexploited-in-wildxssunpatched

Synacor ZCS XSS vulnerability (CVE-2025-48700) allows arbitrary JavaScript execution in user sessions, enabling unauthorized access to sensitive data.

This cross-site scripting flaw in Synacor's Zimbra Collaboration Suite allows attackers to inject malicious scripts into user sessions, potentially exfiltrating sensitive information. DIB organizations must patch immediately to prevent session hijacking and data theft, as the vulnerability is actively exploited in the wild.

Shame score — While actively exploited, the vulnerability is a standard XSS flaw rather than a supply-chain or negligence failure, resulting in moderate embarrassment.

Players implicated

Synacor · vendorZimbra Collaboration Suite (ZCS) · product

Description

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.