Primary

Context

Zimbra Collaboration XML External Entity Vulnerability in Exchange Web Services

Vulnerability

Patched

An XML External Entity (XXE) vulnerability has been identified in the Zimbra Collaboration (ZCS) versions 10.0 and 10.1. This issue resides within the Exchange Web Services (EWS) SOAP interface, where XML input is not properly sanitized. As a result, an authenticated attacker can send crafted XML that is processed by an XML parser with external entity resolution enabled. Exploiting this vulnerability could lead to the unauthorized disclosure of sensitive local files from the server.

Impact

Successful exploitation allows for the disclosure of sensitive local files from the server.

Remediation

Users can upgrade to ZCS version 10.1.16, which addresses this vulnerability. Instructions for upgrading are available on the Zimbra website.

Added: Mar 20, 2026, 2:21 PM

Updated: Mar 20, 2026, 2:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.4

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zimbra Collaboration XML External Entity Vulnerability in Exchange Web Services

Vulnerability

Impact

Remediation

Affected Products

Zimbra Collaboration

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating