Vulnerability Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Synacor | Zimbra Collaboration Suite | >= 10.0.0, < 10.1.16 |
Related Weaknesses (CWE)
References
- https://wiki.zimbra.com/wiki/Security_CenterVendor AdvisoryRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_FixesRelease Notes
- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
FAQ
What is CVE-2026-33371?
CVE-2026-33371 is a vulnerability with a CVSS score of 4.3 (MEDIUM). An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling...
How severe is CVE-2026-33371?
CVE-2026-33371 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33371?
Check the references section above for vendor advisories and patch information. Affected products include: Synacor Zimbra Collaboration Suite.