{"api_version":"1","generated_at":"2026-04-22T23:22:13+00:00","cve":"CVE-2026-33371","urls":{"html":"https://cve.report/CVE-2026-33371","api":"https://cve.report/api/cve/CVE-2026-33371.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33371","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33371"},"summary":{"title":"CVE-2026-33371","description":"An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-03-20 14:16:16","updated_at":"2026-04-01 15:35:47"},"problem_types":["CWE-611","n/a","CWE-611 CWE-611 Improper Restriction of XML External Entity Reference"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy","name":"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy","refsource":"cve@mitre.org","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes","name":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes","refsource":"cve@mitre.org","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://wiki.zimbra.com/wiki/Security_Center","name":"https://wiki.zimbra.com/wiki/Security_Center","refsource":"cve@mitre.org","tags":["Vendor Advisory","Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories","name":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories","refsource":"cve@mitre.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33371","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33371","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"33371","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"synacor","cpe5":"zimbra_collaboration_suite","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"33371","cve":"CVE-2026-33371","epss":"0.000470000","percentile":"0.145200000","score_date":"2026-04-03","updated_at":"2026-04-04 00:05:44"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-33371","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-23T13:39:44.006410Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"CWE-611 Improper Restriction of XML External Entity Reference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-23T13:39:46.789Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"descriptions":[{"lang":"en","value":"An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2026-03-20T14:09:04.967Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"},{"url":"https://wiki.zimbra.com/wiki/Security_Center"},{"url":"https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"},{"url":"https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes"}]}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2026-33371","datePublished":"2026-03-20T00:00:00.000Z","dateReserved":"2026-03-19T00:00:00.000Z","dateUpdated":"2026-03-23T13:39:46.789Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-20 14:16:16","lastModifiedDate":"2026-04-01 15:35:47","problem_types":["CWE-611","n/a","CWE-611 CWE-611 Improper Restriction of XML External Entity Reference"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.1.16","matchCriteriaId":"E8DBE536-EAB0-48FF-A195-C0DB0A7FBCA0"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33371","Ordinal":"1","Title":"CVE-2026-33371","CVE":"CVE-2026-33371","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33371","Ordinal":"1","NoteData":"An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.","Type":"Description","Title":"CVE-2026-33371"}]}}}