Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.
AnalysisAI
An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.
Technical ContextAI
The vulnerability resides in the Exchange Web Services (EWS) SOAP interface component of Zimbra Collaboration Server, which processes XML-formatted requests. XXE vulnerabilities (CWE-611: Improper Restriction of XML External Entity Reference) occur when an XML parser is configured to resolve external entity declarations without proper validation or sandboxing. In this case, the EWS SOAP parser accepts and processes untrusted XML input containing external entity definitions, allowing attackers to reference local system files (such as /etc/passwd), internal network resources, or trigger denial-of-service conditions through billion laughs attacks. The affected versions (ZCS 10.0 and 10.1) did not implement adequate XML parser hardening or input validation to prevent this attack class.
RemediationAI
Upgrade Zimbra Collaboration Server to version 10.1.16 or later, which includes fixes for this XXE vulnerability (as documented in https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes). If immediate patching is not feasible, restrict network access to the EWS SOAP interface to trusted administrative networks only, disable or restrict EWS functionality if not required for operations, and monitor SOAP request logs for suspicious XML patterns containing external entity declarations. Additionally, configure the underlying Java XML parser to disable external entity resolution by setting appropriate parser features (such as XXE prevention flags in the SOAP framework). Consult Zimbra's security center and responsible disclosure policy for the most current advisory details and any supplementary mitigations.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13696