Updated CISA exploited flaws list adds SharePoint, Zimbra bugs

The Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities list to include high-severity flaws impacting Microsoft SharePoint and the Synacor Zimbra Collaboration Suite, Security Affairs reports.

By deserializing untrusted data, the Microsoft Office SharePoint vulnerability, tracked as CVE-2026-20963, could be harnessed by authorized threat actors to enable code execution over a network.

"In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server," according to the CISA advisory. On the other hand, the stored cross-site scripting flaw in Zimbra's Classic UI, tracked as CVE-2025-66376, may allow attackers to exploit CSS @import directives within email HTML.

Federal agencies have been ordered by CISA to remediate CVE-2026-20963 and CVE-2025-66376 by Mar. 21 and Apr. 1, respectively. Meanwhile, private companies are also urged to assess the catalog and fix both vulnerabilities.