CVE-2026-33370
Received Received - Intake
Stored XSS in Zimbra Briefcase Enables Session Hijacking

Publication date: 2026-03-20

Last updated on: 2026-04-01

Assigner: MITRE

Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33370
EUVD
EUVD-2026-13694
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
synacor zimbra_collaboration_suite From 10.0.0 (inc) to 10.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the stored cross-site scripting (XSS) vulnerability in the Zimbra Briefcase feature (CVE-2026-33370), you should apply the patch provided in the Zimbra Daffodil 10.1.16 release.

This patch fixes the vulnerability by preventing unsafe inline rendering of specific uploaded file types when shared publicly, thereby stopping malicious script execution.

Updating to Zimbra Collaboration version 10.1.16 or later is the recommended immediate step to secure your system against this issue.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33370 is a stored cross-site scripting (XSS) vulnerability found in the Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1, specifically in the Briefcase feature.'}, {'type': 'paragraph', 'content': "The vulnerability arises because certain uploaded file types are not properly sanitized when they are shared publicly. When a user opens such a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes within the context of the user's session."}, {'type': 'paragraph', 'content': 'This allows an attacker to run arbitrary scripts on behalf of the victim user, potentially leading to unauthorized actions or data theft.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your user session when you open a malicious file shared via the Zimbra Briefcase.

Such script execution can lead to unauthorized actions performed on your behalf, including data exfiltration or manipulation of your account or data.

In practical terms, this means your sensitive information could be stolen or your account could be compromised without your knowledge.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart