Known Exploited Vulnerabilities (KEV)

CISA Catalog

Known Exploited Vulnerabilities

· Live CISA DataCISA KEV catalog — vulnerabilities with active exploitation requiring federal remediation

Data sourced from the official CISA Known Exploited Vulnerabilities Catalog. Federal agencies are required to remediate these vulnerabilities by the due date per BOD 22-01.

KEV Entries

1,619

Ransomware Use

327

Overdue

1,615

Vendors

266

Products

655

18 results · Page 1/1

CVE-2025-48700Overdue

Due: 2026-04-23
Added: 2026-04-20

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-66376Overdue

Due: 2026-04-01
Added: 2026-03-18

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.

Required Action

CVE-2020-7796Overdue

Due: 2026-03-10
Added: 2026-02-17

Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability

Synacor · Zimbra Collaboration Suite

Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-68645Overdue

Due: 2026-02-12
Added: 2026-01-22

Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-27915Overdue

Due: 2025-10-28
Added: 2025-10-07

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2019-9621Overdue

Due: 2025-07-28
Added: 2025-07-07

Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2024-27443Overdue

Due: 2025-06-09
Added: 2025-05-19

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2023-34192Overdue

Due: 2025-03-18
Added: 2025-02-25

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2024-45519Overdue

Due: 2024-10-24
Added: 2024-10-03

Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-37580Overdue

Due: 2023-08-17
Added: 2023-07-27

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2022-27926Overdue

Due: 2023-04-24
Added: 2023-04-03

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing.

Required Action

Apply updates per vendor instructions.

CVE-2022-41352Overdue

Due: 2022-11-10
Added: 2022-10-20

Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.

Required Action

Apply updates per vendor instructions.

CVE-2022-27925RansomwareOverdue

Due: 2022-09-01
Added: 2022-08-11

Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.

Required Action

Apply updates per vendor instructions.

CVE-2022-37042RansomwareOverdue

Due: 2022-09-01
Added: 2022-08-11

Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.

Required Action

Apply updates per vendor instructions.

CVE-2022-27924RansomwareOverdue

Due: 2022-08-25
Added: 2022-08-04

Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.

Required Action

Apply updates per vendor instructions.

CVE-2018-6882RansomwareOverdue

Due: 2022-05-10
Added: 2022-04-19

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.

Required Action

Apply updates per vendor instructions.

CVE-2022-24682RansomwareOverdue

Due: 2022-03-11
Added: 2022-02-25

Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability

Synacor · Zimbra Collaborate Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability in the Calendar feature that allows an attacker to execute arbitrary code.

Required Action

Apply updates per vendor instructions.

CVE-2019-9670Overdue

Due: 2022-07-10
Added: 2022-01-10

Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference

Synacor · Zimbra Collaboration Suite (ZCS)

Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.

Required Action

Apply updates per vendor instructions.