{"id":"CVE-2025-27914","details":"An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token and involves a crafted URL with manipulated query parameters that triggers XSS when accessed by a victim.","modified":"2026-04-10T05:24:19.944456Z","published":"2025-03-12T15:15:39.800Z","references":[{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.11#Security_Fixes"},{"type":"ARTICLE","url":"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"last_affected":"b6cd8f69d2761c014d4a3807f0bdee0011386444"},{"introduced":"0"},{"last_affected":"52b539ef205db233bfd8116e8130e27735b4153c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.0.0-NA"},{"introduced":"0"},{"last_affected":"10.1.0"}]}}],"versions":["10.1.0","8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.12","8.8.2","8.8.3","8.8.4","8.8.6","8.8.7","8.8.8","8.8.9","8.8.9.p1","8.8.9.p3","9.0.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"10.0.0"},{"fixed":"10.0.11"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27914.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}