CVE-2026-33368
Received Received - Intake
Reflected XSS in Zimbra Webmail REST Interface Allows Account Hijack

Publication date: 2026-03-20

Last updated on: 2026-04-01

Assigner: MITRE

Description
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33368
EUVD
EUVD-2026-13690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
synacor zimbra_collaboration_suite From 10.0.0 (inc) to 10.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

I don't know

Executive Summary

Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1 have a reflected cross-site scripting (XSS) vulnerability in their Classic Webmail REST interface (/h/rest). This vulnerability occurs because the application does not properly sanitize user-supplied input. An unauthenticated attacker can craft a URL containing malicious JavaScript code. When a victim user clicks on this URL, the malicious script executes within the context of the Zimbra webmail application.

Impact Analysis

The vulnerability allows an attacker to execute malicious JavaScript code in the context of the victim's Zimbra webmail session. This can enable the attacker to perform actions on behalf of the victim user, potentially leading to unauthorized access to user data, session hijacking, or other malicious activities within the webmail application.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart