CVE-2026-33370

Source
https://cve.org/CVERecord?id=CVE-2026-33370
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33370.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33370
Published
2026-03-20T00:00:00Z
Modified
2026-07-10T04:02:57.638551868Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33370.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-build
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.16"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33370.json"

Git / github.com/zimbra/zm-zcs-lib

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-zcs-lib
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.16"
        }
    ]
}

Affected versions

10.*
10.0.0-GA
10.1.0
10.1.1
10.1.13
10.1.14
10.1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33370.json"