Vulnerability Report

CVE-2026-33370

Title: Zimbra Collaboration Stored XSS

XSS

Proof Of Concept

No public PoC currently indexed for CVE-2026-33370.

CWE Category NVD-CWE-noinfo

Published Date Mar 20, 2026

Modified Date Apr 01, 2026

Exploit Status Not Found

Score 6.1 CVSS v

Exploit Probability (EPSS)

0.04%

Vulnerability Summary

CVE-2026-33370: An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.

Impacted Vendors

synacor 1

zimbra 1

Reference Links

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity MEDIUM

6.1

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns