Platform
wordpress
Component
transmail
Fixed in
3.3.2
CVE-2025-49028 identifies a Cross-Site Scripting (XSS) vulnerability within Zoho ZeptoMail, specifically impacting versions from 0.0.0 up to and including 3.3.1. This vulnerability allows attackers to inject malicious scripts through the transmail functionality, potentially leading to unauthorized access and control of user accounts. A patch addressing this issue has been released in version 3.3.2.
The XSS vulnerability in Zoho ZeptoMail allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a crafted URL. Successful exploitation could lead to session hijacking, account takeover, defacement of the ZeptoMail interface, or the theft of sensitive information such as email content and credentials. The 'Stored XSS' nature of the vulnerability means the malicious script persists on the server, making it a persistent threat to all users who interact with the affected functionality.
CVE-2025-49028 was published on December 31, 2025. Currently, there are no publicly available proof-of-concept exploits. The vulnerability's severity is rated HIGH (CVSS 7.1), indicating a potential for significant impact. It is advisable to prioritize patching to prevent exploitation, especially given the potential for account takeover.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49028 is to immediately upgrade Zoho ZeptoMail to version 3.3.2 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out suspicious input in the transmail functionality. Carefully review and sanitize all user-supplied input before rendering it in the ZeptoMail interface. Monitor ZeptoMail logs for unusual activity or suspicious script injections. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the transmail feature and verifying it is not executed.
Update to version 3.3.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49028 is a Cross-Site Scripting (XSS) vulnerability in Zoho ZeptoMail allowing attackers to inject malicious scripts, potentially leading to account takeover.
You are affected if you are using Zoho ZeptoMail versions 0.0.0 through 3.3.1. Upgrade to 3.3.2 or later to mitigate the risk.
Upgrade Zoho ZeptoMail to version 3.3.2 or later. Consider WAF rules and input sanitization as temporary mitigations.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the official Zoho security advisory for details and updates regarding CVE-2025-49028.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.