Skip to main content

Zimbra Collaboration EUVDEUVD-2026-13694

| CVE-2026-33370 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 14:15 euvd
EUVD-2026-13694
Analysis Generated
Mar 20, 2026 - 14:15 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Briefcase feature, caused by insufficient sanitization of uploaded file types. When an attacker crafts a malicious file and shares it via the Briefcase public sharing mechanism, the embedded JavaScript executes in the victim's browser session context when the file is opened, enabling arbitrary script execution, session hijacking, credential theft, and unauthorized actions on behalf of the victim. No CVSS score, EPSS data, or active KEV status is currently available, though the attack vector is network-based with low complexity and requires user interaction (file opening).

Technical ContextAI

The vulnerability resides in Zimbra Collaboration Server's Briefcase module, which handles file uploads and public sharing. The root cause is insufficient input sanitization and output encoding for file types that can embed or execute scripts (CWE-79: Improper Neutralization of Input During Web Page Generation). While the CPE data provided is incomplete (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), the vulnerability specifically affects Zimbra versions 10.0 and 10.1. The flaw allows stored malicious JavaScript within file contents or metadata to persist in the Briefcase database and execute in the security context of any user who accesses the shared file, bypassing client-side and server-side filtering mechanisms.

RemediationAI

Upgrade Zimbra Collaboration Server to version 10.1.16 or later, which includes the security fix for this XSS vulnerability in the Briefcase feature. This is the primary and most effective remediation. Until patches can be deployed, administrators should restrict public sharing of Briefcase files via administrative policy, disable the Briefcase feature if not essential, or limit Briefcase access to authenticated internal users only via network segmentation or reverse proxy rules. Review the vendor security advisory at https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories and https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes for patch details and additional hardening guidance. Additionally, implement Content Security Policy (CSP) headers on Zimbra web interfaces to mitigate in-browser XSS execution as a defense-in-depth measure.

Share

EUVD-2026-13694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy