CVE-2026-33371

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 14:16

Updated : 2026-03-24 15:54

NVD link : CVE-2026-33371

Mitre link : CVE-2026-33371

CVE.ORG link : CVE-2026-33371

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

4.3 /10