Synacor Zimbra Collaboration Suite (ZCS) 10 before version 10.0.18 is actively exploited via a stored/reflected XSS vulnerability (CVE-2025-66376, CVSS 8.1) triggered by malicious CSS @import directives in HTML email content viewed in the Classic UI. CISA KEV status confirms in-the-wild exploitation with a remediation deadline of 2026-04-01. Organizations should upgrade to ZCS 10.0.18 immediately or disable the Classic UI as an interim control, and review mail logs and browser session telemetry for signs of session hijacking (T1185).