CVE-2026-33368 - Vulnerability Details

Description

Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.

Published: 2026-03-20

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Zimbra Collaboration Suite 10.0 and 10.1 contain a reflected cross‑site scripting vulnerability in the Classic Webmail REST interface (/h/rest). An unauthenticated attacker can embed malicious JavaScript in a crafted URL; when a victim opens that link, the script runs inside the webmail application context, allowing the attacker to act as the victim. This is a reflected XSS weakness identified as CWE‑79.

Affected Systems

Affected systems are Zimbra Collaboration Suite versions 10.0 and 10.1 from Synacor. No other versions were listed as vulnerable in the advisory.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity, and the EPSS score is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog, implying no known widespread exploitation at the time of reporting. Exploitation requires an unauthenticated attacker to lure a user to a crafted URL; the impact includes session hijacking or unauthorized actions within the webmail context. Overall, the risk is moderate but actionable mitigation is recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Zimbra

Collaboration

100%

Version	Status	Scheme	Platform
`[0,10.0]`	affected	generic	—
`[0,10.1]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zimbra Collaboration Suite to version 10.1.16 or newer, which contains the security fix.
If upgrade is not immediately possible, block unauthenticated access to the /h/rest endpoint to prevent exploitation.

Generated by OpenCVE AI on April 2, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00076.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title	Zimbra Collaboration Suite Reflected XSS in Classic Webmail REST Interface

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synacor Synacor zimbra Collaboration Suite
CPEs		cpe:2.3:a:synacor:zimbra_collaboration_suite::::::::
Vendors & Products		Synacor Synacor zimbra Collaboration Suite

Wed, 25 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Title		Zimbra Collaboration Suite Reflected XSS in Classic Webmail REST Interface

Mon, 23 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zimbra Zimbra collaboration
Vendors & Products		Zimbra Zimbra collaboration

Fri, 20 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
References		https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Subscriptions

Synacor Zimbra Collaboration Suite

Zimbra Collaboration

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-20T00:00:00.000Z

Updated: 2026-03-23T13:22:23.589Z

Reserved: 2026-03-19T00:00:00.000Z

Link: CVE-2026-33368

Vulnrichment

Updated: 2026-03-23T13:08:58.588Z

NVD

Status : Analyzed

Published: 2026-03-20T14:16:15.810

Modified: 2026-04-01T15:37:25.367

Link: CVE-2026-33368

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:59:42Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object