Vulnerability Description
Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit this issue by sending a crafted SOAP request that manipulates the LDAP query, allowing retrieval of sensitive directory attributes.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Synacor | Zimbra Collaboration Suite | >= 10.0.0, < 10.1.16 |
Related Weaknesses (CWE)
References
- https://wiki.zimbra.com/wiki/Security_CenterVendor AdvisoryRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_FixesRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
FAQ
What is CVE-2026-33369?
CVE-2026-33369 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied ...
How severe is CVE-2026-33369?
CVE-2026-33369 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33369?
Check the references section above for vendor advisories and patch information. Affected products include: Synacor Zimbra Collaboration Suite.