Skip to main content

Microsoft EUVDEUVD-2026-13696

| CVE-2026-33371 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-03-20 mitre
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 14:15 euvd
EUVD-2026-13696
Analysis Generated
Mar 20, 2026 - 14:15 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 4.3

DescriptionCVE.org

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.

AnalysisAI

An XML External Entity (XXE) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Exchange Web Services (EWS) SOAP interface due to improper XML input handling. An authenticated attacker can submit crafted XML payloads to an XML parser with external entity resolution enabled, potentially disclosing sensitive local files from the server. No CVSS score, EPSS data, or known exploitation-in-the-wild status is currently available, though the vulnerability has been documented in Zimbra's security advisory system.

Technical ContextAI

The vulnerability resides in the Exchange Web Services (EWS) SOAP interface component of Zimbra Collaboration Server, which processes XML-formatted requests. XXE vulnerabilities (CWE-611: Improper Restriction of XML External Entity Reference) occur when an XML parser is configured to resolve external entity declarations without proper validation or sandboxing. In this case, the EWS SOAP parser accepts and processes untrusted XML input containing external entity definitions, allowing attackers to reference local system files (such as /etc/passwd), internal network resources, or trigger denial-of-service conditions through billion laughs attacks. The affected versions (ZCS 10.0 and 10.1) did not implement adequate XML parser hardening or input validation to prevent this attack class.

RemediationAI

Upgrade Zimbra Collaboration Server to version 10.1.16 or later, which includes fixes for this XXE vulnerability (as documented in https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes). If immediate patching is not feasible, restrict network access to the EWS SOAP interface to trusted administrative networks only, disable or restrict EWS functionality if not required for operations, and monitor SOAP request logs for suspicious XML patterns containing external entity declarations. Additionally, configure the underlying Java XML parser to disable external entity resolution by setting appropriate parser features (such as XXE prevention flags in the SOAP framework). Consult Zimbra's security center and responsible disclosure policy for the most current advisory details and any supplementary mitigations.

Share

EUVD-2026-13696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy