Zimbra 10.1.19 patches Classic Web Client stored XSS, TAG-reported
Zimbra shipped Daffodil 10.1.19 on July 7 to fix a stored XSS in the Classic Web Client where a crafted email runs JavaScript in the recipient's mailbox session. Reporter: Google TAG. No CVE assigned.
Zimbra released Daffodil 10.1.19 on July 7, 2026 to close a stored cross-site scripting flaw in the Classic Web Client — the "Classic UI" webmail that ships alongside the Modern UI in every Zimbra Collaboration deployment. A specially crafted email, once opened or previewed by the recipient, executes attacker-controlled JavaScript in the context of that user's authenticated webmail session. The bug has not been assigned a CVE ID and Zimbra has not published a CVSS score, but rates the Patch Security Severity as High. The reporter is Google's Threat Analysis Group — the team that typically surfaces zero-days tied to state-sponsored operators.
What the bug does
The primitive is textbook stored XSS in a webmail: an email body carries markup that survives the Classic Web Client's sanitiser and executes once the message is rendered. In a Zimbra session that means whatever the attacker's JavaScript can reach from the DOM — session cookies and CSRF tokens for the SOAP endpoints, mailbox content the current user can read, contact and calendar data, mail-filter rules, and outbound-message construction. The output primitive is what any post-auth mailbox compromise gives: silent draft-and-send, mailbox exfiltration, and persistence via server-side filters that survive a password reset.
Zimbra's own release note frames the fix minimally — the wiki page for 10.1.19 describes it as "essentially a two-line patch in 2 javascript files (and corresponding .zgz files) in zimbra-mbox-webclient-war, while the zimbra-patch package itself does nothing extra." No detection artefacts, IOCs, or affected-filename disclosures have been published by Zimbra or Google.
Affected versions
- Vulnerable: Any Zimbra Collaboration Suite deployment that still has the Classic Web Client enabled — including 10.1.x below 10.1.19, and older-branch 10.0.x, 9.0.x, and 8.8.15 users who have not moved forward.
- Fixed: ZCS 10.1.19, delivered as:
zimbra-patch → 10.1.19.1783177840-2zimbra-mbox-webclient-war → 10.1.19.1783175257-1
- Not affected: The Modern UI. Zimbra's advisory is explicit — "this issue only impacts the users of Classic Web Client."
Operators upgrading from 10.1.x who had already applied the earlier SNMP mitigation keep it in force after the upgrade. Operators moving up from 10.0.x, 9.0.x, or 8.8.15 must re-apply the SNMP mitigation after upgrading to 10.1.19 — the wiki release notes call this out and it is the single most common misstep on Zimbra major-branch upgrades.
Exploitation status
Zimbra's advisory does not confirm active exploitation. The signal to take seriously is the reporter: Google TAG publishes primarily on vulnerabilities they have already observed used against high-risk users, and Zimbra Classic Web Client bugs have been a favoured foothold for state-aligned mail-espionage clusters for years — Winter Vivern's CVE-2023-37580 chain in 2023 is the closest architectural analogue. Neither Google nor Zimbra has published IOCs, YARA/Sigma rules, or affected-tenant counts as of publication. This story updates if either party ships detection material.
No public proof-of-concept has surfaced on the usual channels (GitHub, X, packetstorm) between July 7 and July 13. Given the two-line JS patch, expect the delta between shipped fix and public PoC to be short.
Action checklist
- Upgrade to ZCS 10.1.19 on every mailbox server, not just internet-facing ones — the vector is inbound email, and internal-only Zimbra deployments still receive external mail from Exchange relays, MX gateways, and forwarded newsletters. Cross-check the package versions above after upgrade; a rollback that leaves
zimbra-mbox-webclient-warat the older build reintroduces the flaw silently. - Re-apply the SNMP mitigation if the upgrade path was 10.0.x → 10.1.19, 9.0.x → 10.1.19, or 8.8.15 → 10.1.19. Zimbra's wiki release note flags this in-line; skipping it is the most common upgrade regression on this branch.
- Force users off the Classic Web Client where operationally possible. The Modern UI is unaffected by this bug and — over the last three years of Zimbra security history — has taken meaningfully fewer webmail-XSS hits than Classic.
zmprov modifyCog default zimbraFeatureModernUIEnabled TRUEand audit which cog still forces the Classic UI. - Hunt for stored-XSS payloads in message bodies received before the upgrade window. The bug is stored — a message delivered on July 6 executes on the first open after that, and no rescan happens on upgrade. Prioritise VIP mailboxes and any account with mail rules that auto-forward or expose SOAP.
- Rotate anything a webmail session can reach: OAuth tokens issued to Zimbra clients, IMAP/POP app passwords, ActiveSync device keys, and SOAP admin credentials used by connectors. Treat any Classic-UI mailbox opened between the June email-ingest window and the upgrade as post-compromise until log review says otherwise.
Context
This is the third Zimbra webmail XSS chain reported by Google TAG in three years. CVE-2023-37580 — a reflected XSS in the Classic Web Client — was exploited by Winter Vivern against multiple foreign ministries before Zimbra shipped the emergency patch in July 2023. CVE-2024-45519, the postjournal RCE, followed in September 2024 — a different vulnerability class but the same operator cluster monetising it against the same target set. Google TAG surfacing the July 2026 XSS fits the same pattern: the Classic Web Client is old code shipping a wide attack surface to a customer base with a lot of interesting mailboxes.
The architectural takeaway is unchanged. Any Zimbra tenant that continues to expose the Classic UI is running webmail whose XSS-safety story is a rolling patch cycle, not a defended surface. The Modern UI is the only long-term answer — 10.1.19 buys the window to migrate.
What other outlets missed
Coverage this week has repeated Zimbra's "no CVE assigned" line without noting the operational consequence: vulnerability-management systems that key off CVE IDs will not flag this. Tenable, Qualys, and Rapid7 plugins for Zimbra 10.1.19 will detect the vulnerable package version, but ticket-management pipelines that filter by "CVE-2026-*" — and there are a lot of them — will miss the item entirely until a MITRE ID lands. Add zimbra-mbox-webclient-war < 10.1.19.1783175257-1 as a version-based check to the patch dashboard, not a CVE watchlist.