Synacor
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Synacor product.
RSS Feeds for Synacor security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Synacor products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Synacor Sorted by Most Security Vulnerabilities since 2018
Known Exploited Synacor Vulnerabilities
The following Synacor vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML. CVE-2025-66376 Exploit Probability: 10.0% |
March 18, 2026 |
| Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled. CVE-2020-7796 Exploit Probability: 92.9% |
February 17, 2026 |
| Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. CVE-2025-68645 Exploit Probability: 46.0% |
January 22, 2026 |
| Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messa CVE-2025-27915 Exploit Probability: 22.9% |
October 7, 2025 |
| Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. CVE-2019-9621 Exploit Probability: 94.1% |
July 7, 2025 |
| Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability |
Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code. CVE-2024-27443 Exploit Probability: 32.4% |
May 19, 2025 |
| Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability |
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. CVE-2023-34192 Exploit Probability: 88.5% |
February 25, 2025 |
| Synacor Zimbra Collaboration Command Execution Vulnerability |
Synacor Zimbra Collaboration contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands. CVE-2024-45519 Exploit Probability: 94.1% |
October 3, 2024 |
| Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference |
Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration Suite. CVE-2019-9670 Exploit Probability: 94.4% |
January 10, 2022 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited Synacor vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 0 vulnerabilities in Synacor. Last year, in 2025 Synacor had 5 security vulnerabilities published. Right now, Synacor is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 5 | 0.00 |
| 2024 | 9 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.50 |
| 2021 | 2 | 0.00 |
| 2020 | 5 | 7.10 |
| 2019 | 10 | 8.40 |
| 2018 | 7 | 5.70 |
It may take a day or so for new Synacor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Synacor Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-48700 | Jun 23, 2025 |
Zimbra ZCS 8.8.15-10.1 Classic UI XSS (CVE-2025-48700)An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. |
Zimbra Collaboration Suite
|
| CVE-2024-45516 | May 14, 2025 |
Zimbra Classic UI XSS via <img> tags (before Patch 43, 10.1.4)An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction. |
Zimbra Collaboration Suite
|
| CVE-2025-32354 | Apr 29, 2025 |
CSRF in Zimbra Collaboration Server 9.0-10.1 GraphQL EndpointIn Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website. |
Zimbra Collaboration Suite
|
| CVE-2025-25064 | Feb 03, 2025 |
ZimbraCollab SQLi via ZimbraSync SOAP before 10.1.4 InjectionSQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. |
Zimbra Collaboration Suite
|
| CVE-2025-25065 | Feb 03, 2025 |
SSRF in Zimbra RSS Feed Parser (9.0.0-42, 10.0.x<12, 10.1.x<4)SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. |
Zimbra Collaboration Suite
|
| CVE-2024-54663 | Dec 19, 2024 |
Zimbra Collab LFI via /h/rest (9.0/10.0/10.1)An issue was discovered in the Webmail Classic UI in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Local File Inclusion (LFI) vulnerability exists in the /h/rest endpoint, allowing authenticated remote attackers to include and access sensitive files in the WebRoot directory. Exploitation requires a valid auth token and involves crafting a malicious request targeting specific file paths. |
Zimbra Collaboration Suite
|
| CVE-2024-45517 | Nov 21, 2024 |
Zimbra Collaboration Suite 10.1 XSS via /h/rest unfiltered JSAn issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL. |
Zimbra Collaboration Suite
|
| CVE-2024-45194 | Nov 21, 2024 |
Zimbra 9.0/10.0 Webmail XSS via Admin PanelIn Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.) |
Zimbra Collaboration Suite
|
| CVE-2024-45513 | Nov 21, 2024 |
Stored XSS via /modern/contacts/print vCard in Zimbra CS 10.1An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session. |
Zimbra Collaboration Suite
|
| CVE-2024-45514 | Nov 21, 2024 |
XSS in Zimbra Collaboration Server v10.1 via unsanitized packages paramAn issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim's session. |
Zimbra Collaboration Suite
|