CVE-2026-33372

Source
https://cve.org/CVERecord?id=CVE-2026-33372
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33372.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33372
Published
2026-03-20T00:00:00Z
Modified
2026-07-10T04:02:57.685907083Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33372.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-build
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.16"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33372.json"

Git / github.com/zimbra/zm-zcs-lib

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-zcs-lib
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.16"
        }
    ]
}

Affected versions

10.*
10.0.0-GA
10.1.0
10.1.1
10.1.13
10.1.14
10.1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33372.json"