Vulnerability Report

CVE-2026-33371

Title: Zimbra Collaboration XXE Vulnerability

XXE

Proof Of Concept

No public PoC currently indexed for CVE-2026-33371.

CWE Category NVD-CWE-noinfo

Published Date Mar 20, 2026

Modified Date Apr 01, 2026

Exploit Status Not Found

Score 4.3 CVSS v

Exploit Probability (EPSS)

0.06%

Vulnerability Summary

CVE-2026-33371: An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.

Impacted Vendors

zimbra 1

synacor 1

Reference Links

https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity MEDIUM

4.3

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns