CVE-2026-33371

Name: CVE-2026-33371
Creator: NVD / NIST
Published: 2026-03-20T14:16:16.24+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.3/10EPSS 0.23%

Last modified Jun 17, 2026

CVE-2026-33371 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.23%

14.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-611

Affected Software

Vendor	Product	Versions
Synacor	Zimbra Collaboration Suite	>= 10.0.0, < 10.1.16

References

https://wiki.zimbra.com/wiki/Security_CenterRelease Notes, Vendor Advisory
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_FixesRelease Notes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyProduct
https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory

Timeline

Published: Mar 20, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-33371?

How severe is CVE-2026-33371?

CVE-2026-33371 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.

How do I fix CVE-2026-33371?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-33371?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST