Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.
AnalysisAI
A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Briefcase feature, caused by insufficient sanitization of uploaded file types. When an attacker crafts a malicious file and shares it via the Briefcase public sharing mechanism, the embedded JavaScript executes in the victim's browser session context when the file is opened, enabling arbitrary script execution, session hijacking, credential theft, and unauthorized actions on behalf of the victim. No CVSS score, EPSS data, or active KEV status is currently available, though the attack vector is network-based with low complexity and requires user interaction (file opening).
Technical ContextAI
The vulnerability resides in Zimbra Collaboration Server's Briefcase module, which handles file uploads and public sharing. The root cause is insufficient input sanitization and output encoding for file types that can embed or execute scripts (CWE-79: Improper Neutralization of Input During Web Page Generation). While the CPE data provided is incomplete (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), the vulnerability specifically affects Zimbra versions 10.0 and 10.1. The flaw allows stored malicious JavaScript within file contents or metadata to persist in the Briefcase database and execute in the security context of any user who accesses the shared file, bypassing client-side and server-side filtering mechanisms.
RemediationAI
Upgrade Zimbra Collaboration Server to version 10.1.16 or later, which includes the security fix for this XSS vulnerability in the Briefcase feature. This is the primary and most effective remediation. Until patches can be deployed, administrators should restrict public sharing of Briefcase files via administrative policy, disable the Briefcase feature if not essential, or limit Briefcase access to authenticated internal users only via network segmentation or reverse proxy rules. Review the vendor security advisory at https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories and https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes for patch details and additional hardening guidance. Additionally, implement Content Security Policy (CSP) headers on Zimbra web interfaces to mitigate in-browser XSS execution as a defense-in-depth measure.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13694