Medium severity4.3NVD Advisory· Published Mar 20, 2026· Updated Apr 1, 2026

CVE-2026-33371

Description

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.

Affected products

VMware/Zimbra Collaboration Suite
cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
Range: >=10.0.0,<10.1.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wiki.zimbra.com/wiki/Security_CenternvdVendor AdvisoryRelease Notes
wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesnvdVendor Advisory
wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16nvdRelease Notes
wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicynvdProduct

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000