Zimbra Patches Critical XSS Vulnerability in Classic Web Client
Zimbra has released a patch for a critical cross-site scripting (XSS) vulnerability in its Classic Web Client, urging immediate updates to prevent account takeovers.

Zimbra, a provider of open-source email and collaboration software, has issued an urgent security advisory and patch for a critical cross-site scripting (XSS) vulnerability affecting its Classic Web Client. The vulnerability, identified as CVE-2026-32779, allows attackers to inject and execute arbitrary JavaScript code within the context of a logged-in user's browser session.
This flaw poses a significant risk to users of the Zimbra Collaboration suite, as successful exploitation could lead to various malicious activities. Attackers could potentially hijack user sessions, steal sensitive information such as credentials and emails, or perform actions on behalf of the victim without their knowledge. The ability to execute JavaScript in the user's context means that any action a user can perform within the web client could theoretically be automated or manipulated by an attacker.
The vulnerability specifically targets the Classic Web Client interface, which is a widely used component for accessing Zimbra mailboxes, calendars, and contacts. While Zimbra also offers a Modern Web Client, the Classic version remains in use by many organizations, making the scope of potential impact considerable. The company has not disclosed the exact number of affected installations but emphasizes the critical nature of the flaw.
Zimbra's security team has provided a patch to address CVE-2026-32779. Customers are strongly advised to apply this update as soon as possible to mitigate the risk of exploitation. The company recommends that administrators verify that their Zimbra Collaboration instances are running the latest patched versions. For those unable to patch immediately, disabling the Classic Web Client or implementing strict input validation on user-submitted data could serve as temporary workarounds, though patching remains the most effective solution.
While the advisory does not attribute the vulnerability to any specific threat actor or mention active exploitation in the wild, the critical severity rating and the nature of XSS vulnerabilities mean that exploitation is likely to be attempted by malicious actors. Organizations using Zimbra should prioritize this update to protect their users and sensitive data from potential compromise.
This incident underscores the ongoing importance of timely patching for widely used collaboration platforms. As businesses increasingly rely on these tools for daily operations, vulnerabilities that allow for session hijacking and arbitrary code execution can have severe consequences, including data breaches and significant operational disruption.