ZCS 10.1.13 was released on Thu Nov 06 2025. The release includes security fixes for:

• Patched a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML. CVE-2025-66376
• Revoked and removed hardcoded Flickr API credentials from the Flickr Zimlet. CVE-2025-67809
• Introduced path validation in the ExportAndDeleteItemsRequest API to prevent unsafe file exports. TBD
• Addressed a missing CSRF enforcement issue in specific authentication flows. TBD
• Addressed an unauthenticated local file inclusion vulnerability in the RestFilter. CVE-2025-68645
• Fixed a stored XSS vulnerability in Zimbra Mail Client for emails with PDF attachments.
• Added input validation and null checks in the PreAuthServlet to prevent internal error disclosure on malformed requests.
• Addressed an admin account enumeration issue.
• Upgraded Apache HttpClient library to version 4.5.14 as a proactive security and maintenance measure.

ZCS 10.0.18 was released on Thu Nov 06 2025. The release includes security fixes for:

• Patched a stored XSS vulnerability in the Classic UI where attackers could abuse CSS @import directives in email HTML. CVE-2025-66376
• Introduced path validation in the ExportAndDeleteItemsRequest API to prevent unsafe file exports. TBD
• Addressed a missing CSRF enforcement issue in specific authentication flows. TBD
• Addressed an unauthenticated local file inclusion vulnerability in the RestFilter. CVE-2025-68645

ZCS 10.1.12 was released on Thu Oct 16 2025. The release includes security fixes for:

• Addressed a Server-Side Request Forgery (SSRF) vulnerability in the chat proxy configuration. CVE-2025-62763

ZCS 10.1.10 was released on Fri July 18 2025. The release includes security fixes for:

• Access to the GraphiQL IDE at /modern/graphiql has been disabled.
• The @babel/runtime package has been upgraded to version 7.27.6 to address a ReDoS vulnerability. CVE-2025-27789
• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation. CVE-2025-54390
• A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes. CVE-2025-54391
• The Rsync package has been upgraded to version 3.4.1 to fix multiple vulnerabilities.

ZCS 10.0.16 was released on Fri July 18 2025. The release includes security fixes for:

• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the ResetPasswordRequest SOAP operation by enforcing CSRF token validation. CVE-2025-54390
• A security fix has been applied to require a valid auth token before allowing 2FA modifications, preventing unauthorized changes. CVE-2025-54391
• Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks.

ZCS 10.1.9 was released on Wed June 18 2025. The release includes security fixes for:

• Addressed a denial of service (DoS) vulnerability in the admin console that could lead to service disruptions. CVE-2025-53645
• This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately. CVE-2025-27915

ZCS 10.0.15 was released on Wed June 18 2025. The release includes security fixes for:

• Addressed a denial of service (DoS) vulnerability in the admin console that could lead to service disruptions. CVE-2025-53645
• This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately. CVE-2025-27915

ZCS 9.0.0 Patch 46 was released on Wed June 18 2025. The release includes security fixes for:

• Addressed a denial of service (DoS) vulnerability in the admin console that could lead to service disruptions. CVE-2025-53645
• This patch fixes a critical security vulnerability related to stored cross-site scripting in the Zimbra Classic Web Client. The fix strengthens input sanitization and enhances security. All customers are strongly advised to upgrade to this latest patch version immediately. CVE-2025-27915

ZCS 10.1.8 was released on Thu May 15 2025. The release includes security fixes for:

• Addressed a denial of service (DoS) vulnerability that could lead to service disruptions. A new local config attribute, ajax_uri_max_assets_requests_allowed has been added. CVE-2025-53645
• The ClamAV package has been upgraded to version 1.0.8 to fix multiple vulnerabilities. CVE-2025-20128 CVE-2024-20505

ZCS 10.0.14 was released on Thu May 15 2025. The release includes security fixes for:

• Addressed a denial of service (DoS) vulnerability that could lead to service disruptions. A new local config attribute, ajax_uri_max_assets_requests_allowed has been added. CVE-2025-53645